Apparatus and method for determining resource trust levels

ABSTRACT

According to one embodiment, an apparatus may receive a first resource token indicating that access to a resource has been requested. The apparatus may determine the value of an access value associated with at least one resource token in response to the determination that the plurality of resource tokens comprises the at least one resource token. The apparatus may determine that the value of the access value is insufficient to grant access to the resource. The apparatus may determine, in response to the determination that the value of the access value is insufficient to grant access to the resource, that access to the resource should be denied.

RELATED APPLICATION

This application is a continuation-in-part application of pending U.S.patent application Ser. No. 13/210,101 entitled “Method and Apparatusfor Making Token-Based Access Decisions”, filed Aug. 15, 2011.

TECHNICAL FIELD

This disclosure relates generally to tokenization and, morespecifically, to determining trust levels.

BACKGROUND

A security system may control a user's access to a resource. To gainaccess to the resource, the user may provide the security system withcredentials, such as a user ID and a password. The security system mayexamine these credentials and various other factors such as, forexample, factors associated with the user, the user's device, and thenetwork environment in deciding whether to grant or deny access to theuser. The security system may also perform several other functionsrelated to the user's access to the resource.

SUMMARY OF THE DISCLOSURE

According to one embodiment, an apparatus may store a plurality oftoken-based rules. A token-based rule may facilitate access to aresource. The apparatus may further store a plurality of resource tokensassociated with the resource. The apparatus may receive a first resourcetoken indicating that access to the resource has been requested anddetermine, based at least in part upon the first resource token, atleast one token-based rule from the plurality of token-based rules. Theat least one token-based rule may associate an access value with atleast one resource token. The access value may indicate the riskassociated with granting access to the resource. The at least onetoken-based rule may condition access to the resource upon the value ofthe access value. The apparatus may determine that the plurality ofresource tokens comprises the at least one resource token. The apparatusmay determine, based at least in part upon the at least one token-basedrule, the value of the access value associated with the at least oneresource token in response to the determination that the plurality ofresource tokens comprises the at least one resource token. The apparatusmay determine, based at least upon the at least one token-based rule,that the value of the access value is insufficient to grant access tothe resource. The apparatus may determine, in response to thedetermination that the value of the access value is insufficient togrant access to the resource, that access to the resource should bedenied.

Certain embodiments may provide one or more technical advantages. Atechnical advantage of one embodiment includes faster and more efficientdetermination of trust levels. Certain embodiments of the invention mayinclude none, some, or all of the above technical advantages. One ormore other technical advantages may be readily apparent to one skilledin the art from the figures, descriptions, and claims included herein.

BRIEF DESCRIPTION OF THE FIGURES

For a more complete understanding of the present invention and itsfeatures and advantages, reference is now made to the followingdescription, taken in conjunction with the accompanying drawings, inwhich:

FIG. 1 illustrates a system for controlling access to a resource;

FIG. 2 illustrates the system of FIG. 1 chaining a container;

FIG. 3 is a flowchart illustrating a method of chaining a containerusing the system of FIG. 1;

FIG. 4 illustrates the system of FIG. 1 aggregating attributes;

FIG. 5 is a flowchart illustrating a method of aggregating attributesusing the system of FIG. 1;

FIG. 6 illustrates the system of FIG. 1 performing attributeabstraction;

FIG. 7 is a flowchart illustrating a method of performing attributeabstraction using the system of FIG. 1;

FIG. 8 illustrates the system of FIG. 1 making an access decision;

FIG. 9 illustrates the levels determined by the system of FIG. 1 inmaking an access decision;

FIG. 10 is a flowchart illustrating a method of making an accessdecision;

FIG. 11 illustrates the system of FIG. 1 re-authenticating a user;

FIG. 12 is a flowchart illustrating a method of re-authenticating a userusing the system of FIG. 1;

FIG. 13 illustrates the system of FIG. 1 combining authenticationmethods;

FIG. 14 is a flowchart illustrating a method of combining authenticationmethods using the system of FIG. 1;

FIG. 15 illustrates the system of FIG. 1 reassigning privileges;

FIG. 16 is a flowchart illustrating a method of reassigning privilegesusing the system of FIG. 1;

FIG. 17 illustrates the system of FIG. 1 prioritizing packets;

FIG. 18 is a flowchart illustrating a method of prioritizing packetsusing the system of FIG. 1;

FIG. 19 illustrates the system of FIG. 1 conditioning an accessdecision;

FIG. 20 is a flowchart illustrating a method of conditioning accessdecisions using the system of FIG. 1;

FIG. 21 illustrates the system of FIG. 1 making an access decision for arelated resource;

FIG. 22 is a flowchart illustrating a method of making an accessdecision for a related resource using the system of FIG. 1;

FIG. 23 illustrates the system of FIG. 1 updating risk in real-time;

FIG. 24 is a flowchart illustrating a method of updating risk inreal-time using the system of FIG. 1;

FIG. 25 illustrates the system of FIG. 1 combining risk ratings;

FIG. 26 is a flowchart illustrating a method of combining risk ratingsusing the system of FIG. 1;

FIG. 27 illustrates the system of FIG. 1 tagging transactions;

FIG. 28 is a flowchart illustrating a method of tagging transactionsusing the system of FIG. 1;

FIG. 29 illustrates the system of FIG. 1 performing context caching;

FIG. 30 is a flowchart illustrating a method of performing contextcaching using the system of FIG. 1;

FIG. 31 illustrates the system of FIG. 1 performing virtual machinerecycling;

FIG. 32 is a flowchart illustrating a method of performing virtualmachine recycling;

FIG. 33 illustrates the system of FIG. 1 performing token termination;

FIG. 34 is a flowchart illustrating a method of performing tokentermination using the system of FIG. 1;

FIG. 35 illustrates the system of FIG. 1 detecting tampering;

FIG. 36 is a flowchart illustrating a method of detecting tamperingusing the system of FIG. 1;

FIG. 37 is a high level architectural diagram of a system that does notuse tokens to control access to a resource; and

FIG. 38 is a high level architectural diagram of a system that usestokens to control access to a resource.

FIG. 39 illustrates the system of FIG. 1 performing real-timeauthentication using subject token combinations.

FIG. 40 is a flowchart illustrating a method of real-time authenticationusing subject token combinations.

FIG. 41 illustrates the system of FIG. 1 performing session validation.

FIG. 42 is a flowchart illustrating a method of performing sessionvalidation.

FIG. 43 illustrates the system of FIG. 1 performing data tokenization.

FIG. 44 is a flowchart illustrating a method of data tokenization.

FIG. 45 illustrates the system of FIG. 1 handling transaction tokens.

FIG. 46 is a flowchart illustrating a method of handling transactiontokens.

FIG. 47 illustrates the system of FIG. 1 determining assurance levels.

FIG. 48 is a flowchart illustrating a method of determining assurancelevels.

FIG. 49 illustrates the system of FIG. 1 determining trust levels.

FIG. 50 is a flowchart illustrating a method of determining trustlevels.

FIG. 51 illustrates the system of FIG. 1 determining integrity levels.

FIG. 52 is a flowchart illustrating a method of determining integritylevels.

FIG. 53 illustrates the system of FIG. 1 performing expert decisioning.

FIG. 54 is a flowchart illustrating a method of performing expertdecisioning.

FIG. 55 illustrates the system of FIG. 1 making access decisions usingexceptions.

FIG. 56 is a flowchart illustrating a method of making access decisionsusing exceptions.

FIG. 57 illustrates the system of FIG. 1 performing end-to-endencryption.

FIG. 58 is a flowchart illustrating a method of performing end-to-endencryption.

FIG. 59 is a flowchart illustrating a method of performing sessionvalidation to access protected resources.

FIG. 60 is a flowchart illustrating a method of performing sessionvalidation for uncontrolled devices.

FIG. 61 is a flowchart illustrating a method of performing sessionvalidation to access mainframe resources.

FIG. 62 is a flowchart illustrating a method of performing sessionvalidation to access third party resources.

FIG. 63 is a flowchart illustrating a method of performing third partysession validation.

FIG. 64 is a flowchart illustrating a method of performing networksession validation.

FIG. 65 is a flowchart illustrating a method of performing emergencysession validation.

FIG. 66 is a flowchart illustrating a method of performing subjectrecognition session validation.

FIG. 67 is a flowchart illustrating a method of performing objectsecurity session validation.

FIG. 68 is a flowchart illustrating a method of performing objecttransaction session validation.

DETAILED DESCRIPTION OF THE FIGURES

Embodiments of the present invention and its advantages are bestunderstood by referring to FIGS. 1 through 36, like numerals being usedfor like and corresponding parts of the various drawings.

FIG. 1 illustrates a system 100 for controlling access to a resource145. As provided in FIG. 1, system 100 may include a device 114, anetwork 120, a TBAC module 110, a resource provider 140, a network tokenprovider 122, a computed risk token provider 124, a public tokenprovider 126, and a private token provider 128. Device 114, resourceprovider 140, and TBAC module 110 may be coupled to network 120. Ingeneral, TBAC module 110 may use tokens 115 to control access by a user112 to a resource 145 provided by resource provider 140. When user 112uses device 114 to request a resource 145 from resource provider 140,TBAC module 110 may intercept the request and determine if user 112should be granted access to the resource 145. TBAC module 110 may makethis determination by examining tokens 115 from various token providers.Tokens 115 may provide TBAC module 110 with information associated withuser 112, device 114, and network 120. After examining tokens 115, TBACmodule 110 may grant access, deny access or condition access to theresource 145. Although this disclosure describes system 100 includingspecific elements, this disclosure contemplates system 100 including anysuitable elements to perform the described operations of system 100. Forexample, system 100 may include more token providers than the oneslisted above. System 100 may also operate across several networks 120.

In particular embodiments, system 100 may be operable to maketoken-based access decisions in lieu of attribute-based accessdecisions. For example, system 100 may examine and process tokens 115 indetermining whether to grant a user 112 access to a resource 145. System100 may also communicate and receive communications in the form oftokens 115. In particular embodiments, tokens 115 may represent aplurality of properties, qualities, or features, also known asattributes, belonging to a user 112, a device 114, a network 120, or aresource 145. A token 115 may represent hundreds or even thousands ofattributes. Although this disclosure describes tokens 115 representingattributes of particular elements, this disclosure contemplates tokens115 representing attributes of any element of system 100. In particularembodiments, tokens 115 may also represent a plurality of other tokens115. In this manner, system 100 may use tokens 115 to communicationinformation about attributes and other tokens 115.

Tokens 115 may be generated by TBAC module 110 and the various tokenproviders, such as for example, the public token provider 126. Eachtoken 115 may have a type that depends upon the source of the token 115.As an example and not by way of limitation, token 115 may be a publictoken 115 a, private token 115 b, resource token 115 c, risk token 115m, data token 115 e, or network token 115 f pursuant to the particulartoken provider that generated the token 115. Although this disclosuredescribes token 115 being of particular types, this disclosurecontemplates tokens 115 being of any suitable type to perform theoperations of system 100. Specific token types will be discussed furtherbelow. Because system 100 is a token-based system, system 100 mayprocess a plurality of attributes and tokens 115 in the form of a token115 rather than separately processing the individual attributes ortokens 115. In this manner, system 100 may make more efficient andquicker access decisions.

System 100 may include a user 112 and device 114. As an example and notby way of limitation, device 114 may be a personal computer, aworkstation, a laptop, a wireless or cellular telephone, an electronicnotebook, a personal digital assistant, or any other device (wireless,wireline, or otherwise) capable of receiving, processing, storing,and/or communicating information with other components of system 100.Device 114 may also include a user interface, such as a display, amicrophone, keypad, or other appropriate terminal equipment usable byuser 112. In particular embodiments, device 114 may be configured torequest and consume resources 145 provided by resource provider 140. Insome embodiments, an application executed by device 114 may request andconsume the resource 145. Although this disclosure describes device 114with respect to particular types of devices, this disclosurecontemplates device 114 being any suitable device.

In particular embodiments, device 114 may be operable to sendinformation to identify device 114 to other system 100 components. As anexample and not by way of limitation, device 114 may send a MAC address,IP address, and/or device name to identify device 114 to system 100components. Although this disclosure describes device 114 sendingparticular types of information used to identify device 114, thisdisclosure contemplates device 114 sending any suitable information usedto identify device 114. In particular embodiments, device 114 may beoperable to send information to verify device 114 is compliant toconsume a requested resource 145. As an example and not by way oflimitation, device 114 may send an OS version, firmware version, and/oroperating speed. Although this disclosure describes device 114 sendingparticular types of information used to verify the compliance of device114, this disclosure contemplates device 114 sending any suitableinformation used to verify the compliance of device 114.

User 112 may use device 114 to send information to identify orauthenticate user 112 to other system 100 components. As an example andnot by way of limitation, user 112 may send a user ID and/or a password.Although this disclosure describes user 112 using device 114 to sendparticular types of information used to identify user 112, thisdisclosure contemplates user 112 using device 114 to send any suitableinformation used to identify user 112.

System 100 includes network 120. Device 114 may communicate with TBACmodule 110 and resource provider 140 through network 120. Thisdisclosure contemplates any suitable network 120 operable to facilitatecommunication between the components of system 100, such as device 114and TBAC module 110. Network 120 may include any interconnecting systemcapable of transmitting audio, video, signals, data, messages, or anycombination of the preceding. Network 120 may include all or a portionof a public switched telephone network (PSTN), a public or private datanetwork, a local area network (LAN), a metropolitan area network (MAN),a wide area network (WAN), a local, regional, or global communication orcomputer network, such as the Internet, a wireline or wireless network,an enterprise intranet, or any other suitable communication link,including combinations thereof, operable to facilitate communicationbetween the components.

System 100 includes resource provider 140. Resource provider 140 may beoperable to provide resources 145 to be consumed by device 114. As anexample and not by way of limitation, resource provider 140 may providedevice 114 an instance of an application from a cloud. As anotherexample, resource provider 140 may provide computing power and send theresults of a computation to device 114. Resource 145 may also be, forexample, a service, an application, or a virtual machine. In particularembodiments, resource provider 140 may be operable to send resourcetokens 115 c to TBAC module 110. Resource tokens 115 c may identify thetypes of resources 145 provided by resource provider 140. Resourcetokens 115 c may also identify the types of resources 145 requested bydevice 114. As an example and not by way of limitation, a particularresource token 115 c may indicate that resource provider 140 has beenrequested to provide a financial application to device 114. Resourceprovider 140 may further include a policy enforcement point. Inparticular embodiments, the policy enforcement point may restrict orexclude user 112 from accessing a resource 145 until TBAC module 110grants access to user 112.

System 100 may include public token provider 126, network token provider122, computed risk token provider 124, private token provider 128, anddata token provider 129. These token providers may provide TBAC module110 with particular types of tokens 115. Public token provider 126 mayprovide public tokens 115 a (standardized and non-standardized), such asfor example, Kerberos and SAML tokens. Network token provider 122 mayprovide network tokens 115 f used to determine the status,vulnerability, congestion, etc. of network 120. Private token provider128 may provide private tokens 115 b, such as for example, custom tokensand private key tokens. Data token provider 129 may provide data tokens115 e, such as for example, tokens 115 representing social securitynumbers, dates, or email addresses. Computed risk token provider 124 maycalculate risk tokens 115 m indicating the risk associated with grantinguser 112 and/or device 114 access to a requested resource 145 overnetwork 120. When an element of device 114 or network 120 changes,computed risk token provider 124 may update the risk token 115 massociated with granting access to resource 145.

Each token 115 may represent a set of attributes that describe user 112,device 114, network 120, or an action or set of actions performed byuser 112. It may take hundreds or thousands of attributes to fullydescribe user 112, device 114, network 120, and a set of actionsperformed by user 112. Because of the large number of attributes used,it may be faster and more efficient to examine tokens 115, that embodyor represent a set or group of attributes, rather than the individualattributes when making a determination of whether to grant or denyaccess to a resource or service. In particular embodiments, system 100may provide more efficient access control because system 100 makesaccess decisions based on tokens 115 rather than attributes. Because anaccess decision may depend upon thousands of attributes, the accessdecision may be quickened if system 100 examined tokens 115 that wereabstracted from groups of attributes. By examining tokens 115 ratherthan attributes, TBAC module 110 may focus on processing access rulesrather than identifying attributes and attribute relationships.

In particular embodiments, tokens 115 may include metadata based on theattributes and/or set of attributes represented by token 115. Because ofthe large number of attributes that a token 115 may represent, it may bemore efficient to condense or abstract particular attributes intometadata. In this manner, system 100 may examine multiple attributes ina condensed form. As an example and not by way of limitation, a token115 may be used to represent the health status, gender, and age group ofa user 112. These attributes may be condensed and/or abstracted into oneor more forms of metadata. For example, token 115 may represent a colorthat represents these attributes. The color green may mean that user 112is a sick boy. The color blue may mean that user 112 is a sick girl. Thecolor yellow may mean that user 112 is a healthy adult man. The colorred may mean that user 112 is a healthy elderly woman. In this example,system 100 may determine the health status, gender, and age range ofuser 112 by observing a color rather than values for these attributes.Although this disclosure describes condensing and/or abstractingparticular attributes into particular forms of metadata, this disclosurecontemplates abstracting and/or condensing any number and combination ofattributes into any number and combination of forms of metadata.

In particular embodiments, because tokens 115 may condense and/orabstract attributes into forms of metadata, tokens 115 may also becryptic. This means that particular forms of translation, mapping,and/or decryption may be necessary for system 100 to understand theinformation represented by token 115. To continue the previous example,if system 100 determines that a token 115 represents the color green,system 100 may not understand that token 115 indicates that user 112 isa sick boy unless there is a mapping between colors and health status,gender, and age range. If system 100 performs the mapping, then thecolor represented by token 115 will carry meaning. Otherwise, themeaning will not be understood. In this manner, the information thattoken 115 represents (e.g. health status and gender) may be safeguardedeven if token 115 were intercepted maliciously. Although this disclosuredescribes system 100 handling a cryptic token 115 in a particularmanner, this disclosure contemplates system 100 handling a cryptic token115 in any appropriate manner including the application of any numberand combination of forms of decryption.

In particular embodiments, tokens 115 may provide assurance thatattributes are authentic and accurate. Tokens 115 may provide thisassurance by representing attributes associated with access controlalong with other attributes. As an example and not by way of limitation,a token 115 may represent an authentication attribute indicating thatuser 112 has performed a form of authentication such as biometricauthentication. Token 115 may further represent attributes associatedwith user 112 such as age and gender. When system 100 examines token115, system 100 may be provided assurance that the age and genderrepresented by token 115 is authentic and accurate because token 115also represents that user 112 has performed biometric authentication. Inthis manner, system 100 may be provided assurance that the informationrepresented by token 115 is authentic and accurate. Although thisdisclosure describes token 115 providing assurance in a particularmanner, this disclosure contemplates token 115 providing assurance inany appropriate manner.

In particular embodiments, tokens 115 may provide real-time informationwith respect to an element of system 100. This means that theinformation provided by token 115 may be current, and that theinformation represented by token 115 may be updated to represent thecurrent state of an element of system 100. As an example and not by wayof limitation, token 115 may represent the location of user 112. As user112 moves from location to location, token 115 may update to representthe current location of user 112. In particular embodiments, updatingtoken 115 may include system 100 receiving a new or updated version oftoken 115. In this manner, system 100 may examine token 115 to track thecurrent location of user 112. Although this disclosure describesproviding real-time information with respect to a particular attribute,this disclosure contemplates token 115 providing real-time informationwith respect to any number and combination of attributes.

When particular changes occur in user 112, device 114, network 120, orresource provider 140, the various token providers, device 114, orresource provider 140 may generate and send a new token 115 to TBACmodule 110. The new token 115 may represent the state of user 112,device 114, network 120, or resource provider 140 after the change. Thenew token 115 may trigger TBAC module 110 to perform a particularprocess or action in response to the new state. As an example and not byway of limitation, if user 112 attaches a peripheral device, such as aUSB drive, to device 114, then device 114 may generate and send a newtoken 115 to TBAC module 110 to indicate the presence of the peripheraldevice, and computed risk token provider 124 may calculate and send TBACmodule 110 a new risk token 115 g taking into account the presence ofthe peripheral device. In response, TBAC module 110 may produce an erroror terminate the session if the new risk token 115 g indicates theperipheral device presents an unacceptable risk.

In particular embodiments, system 100 may include TBAC module 110. TBACmodule 110 may include a processor 132 coupled to a memory 134. TBACmodule 110 may be coupled to and may receive tokens 115 from publictoken provider 126, network token provider 122, computed risk tokenprovider 124, and private token provider 128. TBAC module 110 mayexamine tokens 115 from the various token providers to determine if user112 and device 114 should be granted access to a resource 145 orservice.

TBAC module 110 may include memory 134. Memory 134 may store, eitherpermanently or temporarily, data, operational software, or otherinformation for processor 132. Memory 134 may include any one or acombination of volatile or non-volatile local or remote devices suitablefor storing information. For example, memory 134 may include randomaccess memory (RAM), read only memory (ROM), magnetic storage devices,optical storage devices, or any other suitable information storagedevice or a combination of these devices. Memory 134 may store tokens115 and any relationships amongst the tokens 115. In particularembodiments, memory 134 may further store sets of token-based rules 130.Rules 130 may direct how TBAC module 110 responds to a particular set ofreceived tokens 115.

Memory 134 may store four particular sets of token-based rules 130, eachcorresponding to a particular operation of TBAC module 110. The firstset of rules 130 is the container chaining rules discussed with respectto FIGS. 2 and 3. The second set of rules 130 is the attributeaggregation and assimilation rules discussed with respect to FIGS. 4 and5. The third set of rules 130 is the attribute abstraction rulesdiscussed with respect to FIGS. 6 and 7. The fourth set of rules 130 isthe tabular trust and transaction rules discussed with respect to FIGS.8-10.

Each set of rules 130 may facilitate a function of the TBAC module 110.For example, the tabular trust and transaction rules may facilitate thegrant or denial of access to a resource 145 by TBAC module 110.

TBAC module 110 may include processor 132. Processor 132 may control theoperation and administration of TBAC module 110 by processinginformation received from network 120 and memory 134. Processor 132 mayinclude any hardware and/or software that operates to control andprocess information. For example, processor 132 may examine a set oftokens 115 and apply a token-based rule 130 associated with the set oftokens 115. Processor 132 may be a programmable logic device, amicrocontroller, a microprocessor, any suitable processing device, orany suitable combination of the preceding.

In operation, TBAC module 110 may perform four primary functions:chaining containers, aggregating attributes, abstracting attributes, andmaking access decisions. In chaining containers, TBAC module 110 mayexamine a set of tokens 115 to determine if a device 114 is capable ofconsuming a requested resource 145.

This function will be discussed further with respect to FIGS. 2 and 3.In aggregating attributes, TBAC module 110 may retrieve, as tokens 115,the attributes required to grant access to a particular resource 145.This function will be discussed further with respect to FIGS. 4 and 5.In abstracting attributes, TBAC module 110 may communicate a pluralityof tokens 115 to be used in the computing of a risk token 115 m. Thisfunction will be discussed further with respect to FIGS. 6 and 7. Inmaking an access decision, TBAC module 110 may examine a plurality oftokens 115 to determine whether to grant access, deny access, orcondition access to a resource 145. This function will be discussedfurther with respect to FIGS. 8-10. In addition, TBAC module 110 mayperform four other categories of functions as described in thisdisclosure. The first category of functions pertains to user 112:re-authentication, combining authentication methods, reassigningprivileges, and packet prioritization. During re-authentication, TBACmodule 110 may prompt user 112 for a one-time password generated usingthe personal information of the user 112. This function will bediscussed further with respect to FIGS. 11 and 12. During combiningauthentication methods, TBAC module 110 may examine multipleauthentication methods to determine if a particular combination ofauthentication methods leads to the assignment of a privilege to user112. This function will be discussed further with respect to FIGS. 13and 14. During reassigning privileges, TBAC module 110 may detect achange that poses a risk associated with granting the user 112 a certainprivilege, and may update the privileges accordingly. This function willbe further discussed with respect to FIGS. 15 and 16. During packetprioritization, TBAC module 110 may prioritize the packets of a highpriority user 112 over the packets of users 112 with a lower priority.This function will be further discussed with respect to FIGS. 17 and 18.

The second category of functions pertains to access decisions:conditioning, accessing related resources, real-time risk updating,combining risk ratings, transaction tagging, real-time authenticationusing subject token combinations, session validation, determining accessvalues, exceptions, and end-to-end encryption. During conditioning, TBACmodule 110 may determine any conditions associated with an accessdecision, and may communicate the conditions. This function will befurther discussed with respect to FIGS. 19 and 20. During accessingrelated resources, TBAC module 110 may determine if a user 112 mayaccess any resources 145 related to a requested resource 145. Thisfunction will be further discussed with respect to FIGS. 21 and 22.During real-time risk updating, TBAC module 110 may update the riskassociated with granting a user 112 or device 114 access to a resource145 in real-time, even as the device 114 may be consuming the resource145.

This function will be discussed further with respect to FIGS. 23 and 24.During combining risk ratings, TBAC module 110 may examine multiple riskratings associated with granting access to various resources todetermine a composite risk associated with user 112 and device 114. Thisfunction will be discussed further with respect to FIGS. 25 and 26.During transaction tagging, TBAC module 110 may detect suspicioustransactions and tag them for monitoring and isolation. This functionwill be discussed further with respect to FIGS. 27 and 28. Duringreal-time authentication using subject token combinations, TBAC module110 may determine missing forms of user and/or device authenticationthat need to be performed to grant access to a resource. This functionwill be discussed further with respect to FIGS. 39 and 40. Duringsession validation, TBAC module 110 may generate and maintain sessiontokens 115 j. This function will be discussed further with respect toFIGS. 41 and 42. To determine access values, TBAC module 110 mayassociate particular combinations of tokens 115 to particular accessvalues, such as assurance level, trust level, integrity level, and risklevel. Then, TBAC module 110 may make access decisions based on theseaccess values. This function will be discussed further with respect toFIGS. 47-54. During exceptioning, TBAC module 110 may use tokens 115 todetermine an exception to the token-based rules. TBAC module 110 maymake an access decision based on the exception. This function will bediscussed further with respect to FIGS. 55 and 56. During end-to-endencryption, TBAC module 110 may use tokens 115 to determine whetherparticular forms of encryption should be performed before access may begranted. This function will be discussed further with respect to FIGS.57 and 58.

The third category of functions pertains to devices 114 and tokenproviders: context caching and virtual machine recycling. During contextcaching, an attribute cache may be cleansed and updated based on tokens115 involved in a risk computation. This function will be discussedfurther with respect to FIGS. 29 and 30. During VM recycling, TBACmodule 110 may facilitate the recycling of stale virtual machines. Thisfunction will be discussed further with respect to FIGS. 31 and 32.

The fourth category of functions pertains to tokens 115: tokentermination, tamper detection, data tokenization, and transaction tokenhandling. During token termination, TBAC module 110 may terminate andinitialize tokens 115 for particular resources based on risk. Thisfunction will be discussed further with respect to FIGS. 33 and 34.During tamper detection, TBAC module 110 may detect if a token 115 hasbeen tampered, and if so, may re-generate that token 115. This functionwill be discussed further with respect to FIGS. 35 and 36. During datatokenization, TBAC module 110 may determine whether a data tokenrepresenting data should be generated, and if so, may initialize datatokenization by generating and transmitting messages to appropriatetoken providers. This function will be discussed further with respect toFIGS. 43 and 44. During transaction token handling, TBAC module 110 mayreceive a transaction token and determine whether to allow an associatedtransaction based on the risk that the transaction may be fraudulent.This function will be discussed further with respect to FIGS. 45 and 46.Although particular functions have been previewed above in conjunctionwith particular figures in order to organize the subject matter for thereader, it should be understood that the present disclosure contemplatesany suitable number and combination of components and functionsregardless of any specific reference to the figures.

The functions of the TBAC module 110 described herein may be performedby executing software stored in one or more non-transitory storagemedia, such as a computer-readable medium or any other suitable tangiblemedium. In particular embodiments, TBAC module 110 or any other suitablecomponent such as, for example, processor 132, may execute softwarestored in the one or more storage media to perform any of the functionsof the TBAC module 110 described herein.

In particular embodiments, because TBAC module 110 communicates andprocesses tokens 115 rather than attributes and because TBAC module 110operates on multiple types of tokens 115 from different sources, ratherthan only one type of token (for example, a subject token 115 b), TBACmodule 110 may make quicker and more efficient decisions with moregranularity and particularity as to user 112, device 114, network 120,and the requested resource 145. TBAC module 110 may consider a largenumber of attributes and tokens 115 by examining only a few tokens 115.This may reduce the processing time and memory profile associated withany particular operation. Further advantages may be readily apparentfrom the present disclosure.

FIGS. 2 and 3 illustrate how system 100 may perform the containerchaining function to prepare a device 114 to consume a resource 145.Prior to granting device 114 access to the resource 145, device 114 isprovisioned with an appropriate container 210 that is capable offacilitating access to and consumption of the resource 145. For example,the device 114 may be provisioned a container 210 that includes avirtual machine that can be used to consume the resource 145. Prior toprovisioning such a container 210, however, system 100 ensures that thedevice 114 is compliant, among other things. This process of checkingthe compliance of the device 114 and subsequently provisioning acontainer 210 to the device 114 is referred to as container chaining andwill be described in greater detail with respect to FIGS. 2 and 3.

When system 100 receives an initial request 240 from device 114 foraccess to a particular resource 145, system 100 may first identifydevice 114 and then verify that device 114 is compliant for consumingthe requested resource 145. By identifying device 114 and verifying itscompliance, system 100 may reduce the chances of granting device 114access to a resource 145 it cannot consume. For example, if device 114contains old versions of firmware or obsolete hardware, it may not bedesirable to grant device 114 access to a resource 145 that requiresupdated firmware or to a resource 145 that requires fast processingspeeds. After system 100 identifies device 114 and verifies that device114 is compliant, system 100 may provision a container 210 to device114. Container 210 may facilitate access to and consumption of theresource 145. In particular embodiments, system 100 may use tokens 115to perform the container chaining function thereby increasing the speedand efficiency at which system 100 may perform the function.

FIG. 2 illustrates the system 100 of FIG. 1 chaining a container 210. Asprovided in FIG. 2, TBAC module 110 may direct the container chainingprocess. The first task is for TBAC module 110 to identify device 114.After device 114 requests a resource 145, represented by resource token115 c, from resource provider 140, TBAC module 110 may intercept therequest 240 and request device 114 to identify itself. In response,device 114 may send identifying information 220 to a public tokenprovider 126 or to a private token provider 128. As an example and notby way of limitation, device 114 may send a MAC address, an IP address,and/or a device name. Public token provider 126 or private tokenprovider 128 may provide TBAC module 110 with a hard token 115 g thatrepresents the identifying information 220 sent by device 114. Althoughthis disclosure describes hard token 115 g representing particularinformation 220 used to identify device 114, this disclosurecontemplates hard token 115 g representing any suitable information 220that identifies device 114, such as for example, information from Layer2 of the Open Systems Interconnection (OSI) stack. Although thisdisclosure describes a singular hard token 115 g representingidentification information of device 114, this disclosure contemplatesany number and combination of hard tokens 115 g representing theidentification information 220. Resource provider 140 may further sendto TBAC module 110 resource token 115 c representing resource 145.Although this disclosure describes a singular resource token 115 crepresenting resource 145, this disclosure contemplates any number andcombination of resource tokens 115 c representing resource 145.

After TBAC module 110 identifies device 114, TBAC module 110 may verifythe compliance of device 114 to reduce the chances of granting device114 access to a resource 145 that device 114 cannot consume. TBAC module110 may use container chaining (CCC1) rules 230 stored in memory 134 tofacilitate verifying the compliance of device 114. TBAC module 110 mayuse hard token 115 g and resource token 115 c to access CCC1 rules 230.By using CCC1 rules 230, TBAC module 110 may verify the compliance ofdevice 114 to consume the requested resource 145 and may facilitate theprovisioning of container 210 to device 114. As an example and not byway of limitation, a particular CCC1 rule 230 may specify certaincompliance criteria in order for a device 114 identified by hard token115 g to consume the resource 145 associated with resource token 115 c.For example, CCC1 rule 230 may specify that device 114 containparticular versions of firmware or operating system, or that device 114meet particular hardware requirements. TBAC module 110 may determine theparticular CCC1 rule 230 using hard token 115 g and resource token 115c. TBAC module 110 may determine the compliance criteria from thedetermined CCC1 rule 230. In particular embodiments, TBAC module 110 mayrequest and in response, receive another hard token 115 g representingthe compliance information of device 114, and TBAC module 110 may verifydevice 114 is compliant by comparing the compliance information againstthe determined compliance criteria. As an example and not by way oflimitation, a particular CCC1 rule 230 may specify that a device 114should be operating a particular version of firmware in order to consumethe resource 145. TBAC module 110 may receive another hard token 115 grepresenting the firmware version of the device 114. TBAC module 110 maythen verify that device 114 contains a valid version of firmware bycomparing the firmware version of device 114 with the particularfirmware version specified by CCC1 rule 230. In particular embodiments,TBAC module 110 may quarantine device 114 until device 114 verifies thatit is compliant or capable of consuming the requested resource 145pursuant to CCC1 rule 230. After verifying that device 114 is compliant,TBAC module 110 may generate or receive a compliance token 115 h. TBACmodule 110 may then correlate hard token 115 g and compliance token 115h in order to associate device 114 with its compliance information.

After device 114 has been deemed compliant, TBAC module 110 maycommunicate the compliance token 115 h to facilitate the provisioning ofcontainer 210 to device 114. Container 210 may facilitate theconsumption of the resource 145. In particular embodiments, container210 may include a virtual machine operable to execute an applicationthat consumes the requested resource 145. The virtual machine may be anapplication that executes on device 114 to simulate the operation ofanother device or a cloud resource. After device 114 has beenprovisioned with container 210, TBAC module 110 may receive a virtualmachine (VM) token 115 i. TBAC module 110 may correlate VM token 215 cwith hard token 115 g and compliance token 115 h so that informationassociated with container 210 may be associated with device 114.

In particular embodiments, TBAC module 110 may generate and correlate asession token 115 j with hard token 115 g, compliance token 115 h, andVM token 115 i in order to associate device 114 and container 210 to asession. Resource token 115 c may also be associated with session token115 j. Session token 115 j may represent the session. In particularembodiments, the session may facilitate access by device 114 to theresource 145. After correlating hard token 115 g, compliance token 115h, VM token 115 i, and session token 115 j, any changes that occur todevice 114 or to container 210 may alter or terminate the session. As anexample and not by way of limitation, if a virus or malware is detectedon device 114, TBAC module 110 may detect a new or altered token 115associated with device 114 and terminate the session associated withsession token 115 j. Upon termination of the session, container 210 maybe released. As another example and not by way of limitation, if aperipheral device is attached to device 114, TBAC module 110 may detecta token 115 associated with the peripheral device, then TBAC module 110may pause the session. TBAC module 110 may recheck the compliance ofdevice 114 (i.e., to check if device 114 is allowed to consume therequested resource 145 when device 114 has a peripheral deviceattached). If device 114 is compliant, TBAC module 110 may continue thesession associated with session token 115 j. In particular embodiments,TBAC module 110 may communicate to device 114, by way of tokens 115,that a session has been terminated or paused.

In particular embodiments, TBAC module 110 may perform the containerchaining function to verify that a device 114 is compliant to reduce thechances of granting device 114 access to a resource 145 that it cannotconsume. Furthermore, verifying compliance may make it more probablethat device 114 may consume the resource 145 at an acceptable pace. Asan example and not by way of limitation, if device 114 included obsoletehardware, TBAC module 110 may deny access because granting access maylead to slow execution. In particular embodiments, because TBAC module110 uses tokens 115 rather than attributes in performing the containerchaining function, TBAC module 110 may quickly and efficiently verifythat device 114 is compliant.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 2, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 2 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 2 includes all the elements of system 100 inFIG. 1.

FIG. 3 is a flowchart illustrating a method 300 of chaining a container210 using the system 100 of FIG. 1. TBAC module 110 may perform method300. As provided in FIG. 3, TBAC module 110 may begin by intercepting arequest 240 from a device 114 to a resource 145 in step 310. Inresponse, TBAC module 110 may proceed to identify device 114. Toidentify device 114, TBAC module 110 may request identifying information220 from the device 114 in step 320. Identifying information 220 may bea MAC address, an IP address, a device name, or any suitable informationused to identify the device 114. In response to the request, TBAC module110 may receive a hard token 115 g in step 330. Hard token 115 g mayrepresent identifying information 220 of the device 114. In step 340,TBAC module 110 may determine if the hard token 115 g properlyidentifies the device 114. If the hard token 115 g does not properlyidentify the device 114, TBAC module 110 may return to step 320 torequest identifying information 220 from the device 114. If the hardtoken 115 g does properly identify the device 114, TBAC module 110 mayconsider device 114 identified and continue to verify the compliance ofdevice 114.

TBAC module 110 may verify that device 114 is compliant to consume theresource. By verifying that device 114 is compliant, TBAC module 110 mayreduce the chances of granting access to a resource 145 that device 114cannot consume. TBAC module 110 may begin verifying compliance in step350 by requesting compliance information from the device 114. Complianceinformation may indicate whether the device 114 is capable of consumingthe requested resource 145. In response to the request, TBAC module 110may receive a hard token 115 g representing the compliance informationof the device 114 in step 355. TBAC module 110 may then access CCC1rules 230 in step 360 to compare the compliance information of thedevice 114 against compliance criteria specified by a particular CCC1rule 230. In step 365, TBAC module 110 may determine, based on the CCC1rule 230, whether the device 114 is compliant to consume the resource145. If the device 114 is not compliant, TBAC module 110 may move tostep 370 by waiting for the device 114 to become compliant. As anexample and not by way of limitation, device 114 may be incompliantbecause the firmware in device 114 needs to be updated. TBAC module 110may wait for device 114 to update its firmware before proceeding to thenext step. If the device 114 becomes compliant, TBAC module 110 mayreturn to step 350 and request compliance information from the device114.

If the device 114 is compliant for the requested resource 145, TBACmodule 110 may generate a compliance token 115 h in step 375. Thecompliance token 115 h may represent the compliance of device 114. TBACmodule 110 may then conclude by communicating the compliance token 115 hto facilitate the provisioning of a container 210 to the device 114 instep 380. In particular embodiments, the container 210 may facilitateaccess by the device 114 to the resource 145.

In particular embodiments, correlating hard tokens 115 g, compliancetokens 115 h, VM tokens 115 i, resource tokens 115 c, and session token115 j, may provide more efficient handling of the identification andverification of device 114. Rather than examining thousands ofattributes used to identify device 114 and the requested resource 145,TBAC module 110 may examine session token 115 j and the tokens 115correlated with it to discover the state of device 114 and container210. By following method 300, TBAC module 110 may more efficientlyidentify and verify device 114 for consuming the requested resource 145.

FIGS. 4 and 5 illustrate how system 100 may perform the attributeaggregation function. In general, user 112 may be authenticated in orderto access resource 112. During the authentication process, variousproperties, qualities, or features of user 112 may be examined. Theseproperties, qualities, or features may be known as attributes 425.However, there may be thousands or millions of available attributes 425that describe user 112, and resource 145 may not require all availableattributes 425 be examined to grant access. If all available attributes425 were considered, the authentication process may be slow andinefficient. The process by which TBAC module 110 determines andretrieves only those attributes 425 required to grant access to theresource 145 is known as attribute aggregation and is discussed in moredetail with respect to FIGS. 4 and 5.

User 112 may begin the authentication process by providingauthentication information, such as, for example, a user ID and apassword, to gain access to a requested resource 145. TBAC module 110may receive a subject token 115 k from the various token providers thatrepresents the authentication information provided by user 112. However,resource provider 140 may require extra layers of authentication orextra authentication information associated with user 112 beforeresource provider 140 grants access to the requested resource 145. Theseextra layers of authentication or extra authentication information maybe in the form of attributes 425 associated with user 112 stored inrepositories 420 a-d. One solution would be for TBAC module 110 toretrieve all the attributes 425 associated with user 112 from therepositories 420 a-d. However, the resource provider 140 may not requireall the attributes 425 associated with user 112 to grant access to theresource 145. As an example and not by way of limitation, resourceprovider 140 may require the age of the user 112, but not the locationof the user 112 to grant access to resource 145. In particularembodiments, TBAC module 110 may determine, from an attributeaggregation (AAA1) rule 430, the set of attributes 440 required byresource provider 140 to grant access to resource 145. In particularembodiments, the set of attributes 440 may not be required to grantaccess to resource 145, but may be preferred or prioritized in makingthe determination to grant access to resource 145. TBAC module 110 maythen determine from subject token 115 k a set of attributes 445 alreadyprovided by user 112. TBAC module 110 may then determine, from the setof required attributes 440 and the set of provided attributes 445, a setof attributes 450 that are still missing and request only thoseattributes 425 from the repositories 420 a-d. In particular embodiments,TBAC module 110 may provide faster and more efficient authentication byretrieving only the attributes 425 necessary to access the resource 145.

FIG. 4 illustrates the system 100 of FIG. 1 aggregating attributes 425.As provided in FIG. 4, TBAC module 110 may have correlated hard token115 g, compliance token 115 h, and VM token 115 i, among others, asappropriate, to session token 115 j thus indicating that device 114 hasbeen identified and verified compliant and that a container 210 has beenprovisioned to device 114 according to the container chaining functiondescribed with respect to FIGS. 2 and 3. User 112 may now initiate theauthentication process by providing initial attributes, such as forexample, initial authentication information to access a resource 145.Resource 145 may be represented by resource token 115 c, which may alsobe sent to and stored in TBAC module 110. In particular embodiments,after the user 112 has provided initial authentication information, suchas for example, a user ID and password, in the form of subject token 115k, TBAC module 110 may determine a set of required attributes 440required to access the requested resource 145. System 100 may theninspect subject token 115 k to determine a set of provided attributes445. System 100 may then compare the set of provided attributes 445 andthe set of required attributes 440 to determine a set of missingattributes 450. System 100 may then request the missing attributes fromrepositories 420 a-d. System 100 may then receive at least one moresubject token 115 k representing the missing attributes from the varioustoken providers, and correlate the at least one more subject token 115 kto the session token 115 j. In this manner, system 100 may provide amore efficient user authentication scheme by retrieving only theattributes 425 necessary to access the requested resource 145.

TBAC module 110 may determine the set of required attributes 440 usingAAA1 rules 430 stored in memory 134. A particular AAA1 rule 430 mayindicate a set of required attributes 440 required by resource provider140 to grant user 112 access to a particular resource 145. In particularembodiments, TBAC module 110 may use a stored token 115, such as theresource token 115 c, and the subject token 115 k to determine theparticular AAA1 rule 430. By using AAA1 rules 430, TBAC module 110 maydetermine and retrieve only those attributes 440 required to accessresource 145. TBAC module 110 may examine the subject token 115 kassociated with user 112 to determine a set of provided attributes 445.TBAC module 110 may then determine a set of missing attributes 450 bycomparing the set of required attributes 440 and the set of providedattributes 445. As an example and not by way of limitation, a particularAAA1 rule 430 may specify that accessing a particular resource 145requires the time of login and the social security number of the user112 in addition to the user ID and password of the user 112. However,subject token 115 k may represent only the user ID and password of theuser 112. In this case, TBAC module 110 may determine that the time oflogin and the social security number are in the set of missingattributes 450.

After determining the set of missing attributes 450, TBAC module 110 mayrequest the missing attributes 450 from various correspondingrepositories 420 a-d. Each repository 420 a-d may correspond with one ofthe various token providers. Each repository 420 a-d may storeattributes 425 a-d associated with user 112. As an example and not byway of limitation, data repository 420 c may store data attributes 425 cassociated with user 112 such as a social security number or telephonenumber. Each repository 420 a-d may return, to a corresponding tokenprovider, the attributes 425 a-d requested by TBAC module 110. Eachtoken provider may then generate and send a token 115 that representsthe returned attributes 425 to TBAC module 110, such as for example, anew subject token 115 k 2. TBAC module 110 may then correlate the newsubject token 115 k 2 to session token 115 j. TBAC module 110 mayfurther store the new subject token 115 k 2 in memory 134. Using theprevious example, TBAC module 110 may determine the time of login andthe social security number of the user 112 are in the set of missingattributes 450. TBAC module 110 may then request the time of login andthe social security number from the corresponding repositories, such asfor example, the data repository 420 c. In response, the data repository420 c may return, to the data token provider 129, the social securitynumber of the user. The data token provider 129 may generate a newsubject token 115 k 2 representing the social security number of theuser 112, and send the new subject token 115 k 2 to TBAC module 110. Asimilar process may be followed by the private repository 420 b toreturn the time of login. In this manner, TBAC module 110 may provide amore efficient authentication scheme by retrieving only the attributes440 required by resource provider 140 to access the requested resource145.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 4, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 4 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 4 includes all the elements of system 100 inFIG. 1.

FIG. 5 is a flowchart illustrating a method 500 of aggregatingattributes 425 using the system 100 of FIG. 1. TBAC module 110 mayperform method 500. As provided in FIG. 5, TBAC module 110 may begin bystoring a hard token 115 g, compliance token 115 h, VM token 115 i, anda session token 115 j, among others, as appropriate, in step 510. Thesetokens 115 may be correlated and stored pursuant to the processdiscussed with respect to FIGS. 2 and 3. TBAC module 110 may continue byreceiving a subject token 115 k indicating a user attempt toauthenticate in step 520. The subject token 115 k may indicate a userattempt to authenticate by representing certain attributes 425 of theuser 112 such as, for example, a user ID and password. TBAC module 110may continue by determining the attributes 425 represented by thesubject tokens 115 k in step 530. These attributes 425 may be the set ofprovided attributes 445. TBAC module 110 may continue by accessing AAA1rules 430 in step 540. AAA1 rules 430 may specify all the attributes 425required to access resource 145. These specified attributes 425 may bethe set of required attributes 440. In step 550, TBAC module 110 maydetermine from the set of required attributes 440 and the set ofprovided attributes 430 if there are missing attributes 450 required toaccess the requested resource 145. If there are no missing attributes450, TBAC module 110 may conclude by correlating the subject token 115 kto the session token 115 j in step 595. However, in particularembodiments, the attributes 425 represented by the subject token 115 kmay not be sufficient to grant access to a requested resource 145. Inthat situation, method 500 may determine that there are missingattributes 450 in step 550. Accordingly, TBAC module 110 may determinethe missing attributes 450 in step 560.

To retrieve the missing attributes 450, TBAC module 110 may continue bysending a request for the missing attributes 450 to the correspondingrepositories 420 a-d in step 570. In response to the request, method 500may receive tokens 115 representing the missing attributes 450 in step580. In step 590, TBAC module 110 may determine if, according to theAAA1 rules 430, all missing attributes 450 have been represented by thereceived tokens 115. If not, TBAC module 110 may return to step 560 andrequest the still missing attributes 450. If all missing attributes 450have been represented by the received tokens 115, TBAC module 110 mayconclude by correlating the received tokens 115 with the session token115 j in step 595. By performing method 500, TBAC module 110 may providea more efficient authentication scheme by retrieving only the attributes425 required by resource provider 140 to access the requested resource145.

In particular embodiments, attribute aggregation allows system 100 toprovide a faster and more efficient authentication process bydetermining and retrieving only the attributes 440 required to accessresource 145. Furthermore, because TBAC module 110 processes all theattributes 425 using tokens 115, system 100 may perform theauthentication process even faster than if it considered individualattributes 425.

FIGS. 6 and 7 illustrate how system 100 may perform the attributeabstraction function. In general, TBAC module 110 may facilitate thegeneration of new tokens 115 from a particular set of tokens 620, notjust attributes 425. Prior to generating the new token 115, TBAC module110 may determine whether the particular set of tokens 620 is present.If the particular set of tokens 620 is present, TBAC module maycommunicate the particular set of tokens 620 to a token provider. Thetoken provider may generate the new token 115 that represents aparticular aspect of the particular set of tokens 620. This process isknown as attribute abstraction, which is discussed further with respectto FIGS. 6 and 7 in the context of generating a risk token 115 m.Although this disclosure describes the attribute abstraction functionusing a particular context, this disclosure contemplates performing theattribute abstraction function in any suitable context.

TBAC module 110 may perform attribute abstraction to facilitate thegeneration of a risk token 115 m. In particular embodiments, TBAC modulemay determine that a particular set of tokens 620 is ready forabstraction. Then, TBAC module 110 may generate a dataset token 115 lrepresenting the set of tokens 620, and communicate the dataset token115 l to the computed risk token provider 122. In response, the computedrisk token provider 122 may compute and return a risk token 115 massociated with the set of tokens 620.

FIG. 6 illustrates the system 100 of FIG. 1 performing attributeabstraction. As provided in FIG. 6, TBAC module 110 may store a hardtoken 115 g, compliance token 115 h, VM token 115 i, and subject token115 k, among others, as appropriate. These tokens 115 may be correlatedwith session token 115 j, also stored in TBAC module 110. TBAC module110 may also receive and store resource token 115 c from resourceprovider 140. In particular embodiments, resource tokens 115 c may becorrelated with session token 115 j. In particular embodiments, thesetokens 115 may form a set of tokens 620. To perform attributeabstraction, TBAC module 110 may determine whether the set of tokens 620is ready for abstraction. As an example and not by way of limitation,TBAC module 110 may determine that the set of tokens 620 containssufficient tokens 115 for a risk token 115 m to be computed. In responseto this determination, TBAC module 110 may communicate information aboutthe set of tokens 620 to facilitate generation of the risk token 115 m.

In particular embodiments, TBAC module 110 may store attributeabstraction (AAA2) rules 630 in memory 134. AAA2 rules 630 may specifywhen a particular set of tokens 620 is ready for abstraction. As anexample and not by way of limitation, a particular AAA2 rule 630 mayspecify that a set of tokens 620 is ready for abstraction when the setof tokens 620 includes a subject token 115 k, a hard token 115 g, acompliance token 115 h, a VM token 115 i, and a session token 115 j. Ifthe particular set of tokens 620 includes those tokens 115, then TBACmodule 110 may generate a dataset token 115 l that represents the set oftokens 620. In particular embodiments, dataset token 115 l may be usedto communicate information about the set of tokens 620. The informationabout the set of tokens 620 may be used to perform attributeabstraction.

To complete the attribute abstraction process, TBAC module 110 maycommunicate the dataset token 115 l to a token provider. In particularembodiments, TBAC module 110 may communicate the dataset token 115 l tocomputed risk token provider 122. In response, computed risk tokenprovider 122 may evaluate the set of tokens 620 represented by datasettoken 115 l and compute a risk associated with the set of tokens 620. Asan example and not by way of limitation, the risk may be associated withgranting user 112 (associated with subject token 115 k) and device 114(associated with hard token 115 g) access to the resource 145(associated with resource token 115 c). Computed risk token provider 122may generate a risk token 115 m to represent the computed risk. Computedrisk provider 122 may communicate the risk token 115 m to TBAC module110. When TBAC module 110 receives the risk token 115 m, it maycorrelate it with session token 115 j. In this manner, TBAC module 110may perform attribute abstraction by taking a set of tokens 620 andabstracting another token 115, such as a risk token 115 m, thatrepresents a particular aspect associated with the set of tokens 620. Inthis example, the aspect is the risk associated with granting a user 112access to a resource 145 associated with the set of tokens 620.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 6, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 6 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 6 includes all the elements of system 100 inFIG. 1.

FIG. 7 is a flowchart illustrating a method 700 of performing attributeabstraction using the system 100 of FIG. 1. TBAC module 110 may performmethod 700. TBAC module 110 may begin by storing a hard token 115 g,compliance token 115 h, VM token 115 i, subject token 115 k, and sessiontoken 115 j, among others, as appropriate, as a plurality of tokens 115in step 710. In particular embodiments, the plurality of tokens 115 mayinclude a set of tokens 620 that is ready for abstraction. AAA2 rules630 may be used to determine if the set of tokens 620 is present. Instep 720, TBAC module 110 may access the AAA2 rules 630. Based on theAAA2 rules 630, TBAC module 110 may determine in step 730 whether theplurality of tokens 115 include a set of tokens 620 that is ready forabstraction. If the plurality of tokens 115 does not include a set oftokens 620 that is ready for abstraction, TBAC module 110 may conclude.

However, if the plurality of tokens 115 does include a set of tokens 620that is ready for abstraction, TBAC module 110 may complete theattribute abstraction process. To begin, TBAC module 110 may generate adataset token 115 l representing the plurality of tokens 115 in step740. TBAC module 110 may communicate the dataset token 115 l to thecomputed risk token provider 122 in step 750. In response, the computedrisk token provider 122 may compute a risk token 115 m. In step 760,TBAC module 110 may receive the risk token 115 m. TBAC module 110 mayconclude in step 770 by correlating the dataset token 115 l and the risktoken 115 m to the session token 115 j.

In particular embodiments, by performing the attribute abstractionfunction, system 100 may represent information about tokens 115, notjust attributes 425, in the form of tokens 115. In this manner, system100 may make more robust access decisions. Furthermore, by representinginformation about multiple tokens 115 in a single token 115, such as arisk token 115 m, system 100 may perform faster and more efficientevaluation of tokens 115.

FIGS. 8-10 illustrate how system 100 may make an access decision usingtokens 115. In general, TBAC module 110 may determine whether to grantor deny a user 112 access to a resource 145. TBAC module 110 may alsodetermine conditions to granting or denying access. This process ofdetermining whether to grant or deny access and determining anyconditions is referred to as making an access decision, which will bediscussed further with respect to FIGS. 8-10.

TBAC module 110 may make an access decision by using levels 850determined by tokens 115. In particular embodiments, TBAC module 110 mayuse tokens 115 to generate various levels 850 that indicate the securityand risks posed by a user 112, a device 114, and/or a network 120. TBACmodule 110 may then use these various levels 850 to make a decision togrant, deny, or condition access to the resource 145. TBAC module 110may further generate a decision token 115 n representing the decision togrant, deny, or condition access. TBAC module 110 may communicate thedecision token 115 n to facilitate enforcement of the access decision.In particular embodiments, by examining tokens 115 rather thanattributes 425 in making an access decision, TBAC module 110 mayincrease the speed and efficiency of the decision-making process. Byexamining tokens 115, TBAC module 110 may also lighten the processingload on processor 132 and memory 134 by focusing more on making theaccess decision rather than on individual attributes 425 and therelationships between the attributes 425.

FIG. 8 illustrates the system 100 of FIG. 1 making an access decision.As provided in FIG. 8, TBAC module 110 may store hard token 115 g,compliance token 115 h, VM token 115 i, subject token 115 k, datasettoken 115 l, and risk token 115 m, among others, as appropriate, as aset of tokens 620. TBAC module 110 may also include resource token 115 crepresenting a resource 145 and network token 115 f representing network120 in the set of tokens 620. These tokens 115 may further be correlatedwith session token 115 j pursuant to the functions described withrespect to FIGS. 2-7. These tokens 115 may indicate that a user 112 isrequesting access to the resource 145 over network 120. In particularembodiments, each token 115 may be associated with a layer in the OpenSystems Interconnection (OSI) stack. As an example and not by way oflimitation, network token 115 f may be associated with Layer 3 of theOSI stack. As another example and not by way of limitation, hard token115 g may be associated with Layer 2 of the OSI stack. By using thesetokens 115 in the set of tokens 620, TBAC module 110 may make an accessdecision when a user 112 requests access to a resource 145.

To make the access decision, TBAC module 110 may use the set of tokens620 to access tabular trust and transaction (TTT1) rules 830 stored inmemory 134. In particular embodiments, TTT1 rules 830 may specifyvarious levels 850 associated with the set of tokens 620. As an exampleand not by way of limitation, TTT1 rules 830 may specify that risk token115 m may determine a risk level, and that the more risk represented byrisk token 115 m, the higher the risk level may be. These levels 850 andtheir association with particular tokens 115 will be described furtherwith respect to FIG. 9. A particular TTT1 rule 830 may also specify anaccess decision associated with the various levels 850. As an exampleand not by way of limitation, a particular TTT1 rule 830 may specifythat access may be denied if the risk level is above a certainthreshold. TBAC module 110 may use a stored token 115, such as forexample, the risk token 115 m and the resource token 115 c to determinea particular TTT1 rule 830. Based on the access decision specified in aparticular TTT1 rule 830, TBAC module 110 may make a decision to grant,deny, or condition access to the resource 145. In particularembodiments, TBAC module 110 may then generate a decision token 115 nrepresenting an access decision.

In particular embodiments, the decision token 115 n may be communicatedby system 100 to facilitate enforcement of the access decision. As anexample and not by way of limitation, TBAC module 110 may communicatethe decision token 115 n to the resource provider 140 to facilitateenforcement of the access decision. As another example and not by way oflimitation, TBAC module 110 may communicate the decision token 115 n tothe device 114 to facilitate enforcement of the access decision. Afterreceiving the decision token 115 n, resource provider 140 or device 114may enforce the access decision. If the decision token 115 n representsa decision to grant access to the resource 145, then resource provider140 may grant access to resource 145 after it receives decision token115 n. If decision token 115 n represents a decision to deny access,then resource provider 140 may deny access to resource 145. Byleveraging tokens 115, TBAC module 110 may make faster and more granularaccess decisions.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 8 this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 8 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 8 includes all the elements of system 100 inFIG. 1.

FIG. 9 illustrates the levels 850 determined by the system 100 of FIG. 1in making an access decision 900. As provided in FIG. 9, access decision900 may depend upon four types of levels: integrity levels 910, trustlevels 920, risk levels 930, and identity assurance levels 940. Eachtype of level may take on a numerical value within a predefined rangesuch as, for example, 0 to 9, with higher numbers indicating a higherlevel of integrity, trust, risk, or identity assurance. Each type oflevel 850 may depend upon particular tokens 115 stored in TBAC module110. As an example and not by way of limitation, based on TTT1 rule 830,subject token 115 k and risk token 115 m may indicate a certain identityassurance level 940. In particular embodiments, the numerical value ofany particular level 850 may depend upon the OSI layer associated withthe particular tokens 115 associated with that level 850. As an exampleand not by way of limitation, a subject token 115 k representing anauthentication method from Layer 2 of the OSI stack may influence theidentity assurance level 940 more than a subject token 115 krepresenting an authentication method from Layer 7. Following will be adescription of the various types of levels 850 and how they may bedetermined.

Integrity levels 910 may indicate the quality and/or security of network120. A high integrity level may indicate that network 120 is safe fromintrusion by hackers, viruses, or malware. A high integrity level mayalso indicate that communications over network 120 may not experiencejitter or packet loss. In particular embodiments, integrity levels 910may be determined from network tokens 115 f and risk tokens 115 m. As anexample and not by way of limitation, integrity levels 910 may dependupon a trusted network connect (TNC) token, a netpath token, and/or anetwork access control (NAC) session token. Although this disclosuredescribes integrity levels 910 depending on particular tokens 115, thisdisclosure contemplates integrity levels 910 depending upon any suitabletokens 115. As an example and not by way of limitation, TBAC module 110may store a TNC token and a netpath token. TTT1 rule 830 may specifythat the integrity level 910 is a 6 if a TNC token and a netpath tokenare present. Based on TTT1 rule 830, TBAC module 110 may determine thatthe integrity level 910 is a 6 because the TNC token and the netpathtoken are present. In particular embodiments, when TBAC module 110receives a network token 115 f indicating a change in the network 120,TBAC module 110 may change integrity level 910 accordingly. The changedintegrity level 910 may cause user 112 to be denied or granted access toa resource 145.

Trust levels 920 may indicate the level of authentication or securityrequired or presented by resource 145. A high trust level may indicatethat resource 145 is a risk-sensitive resource that requires more secureforms of authentication in order to be accessed by user 112. Inparticular embodiments, trust levels 920 may be determined from resourcetoken 115 c and subject token 115 k. As an example and not by way oflimitation, trust levels 920 may depend upon trust tokens, certificatesas tokens, keys and signatures, digital fingerprint tokens, and anycustom tokens. As an example and not by way of limitation, TBAC module110 may store a trust token and a certificate as a token. TTT1 rule 830may specify that the trust level 920 is a 7 if a trust token and acertificate as a token are present. Based on TTT1 rule 830, TBAC module110 may determine that the trust level 920 is a 7 because the trusttoken and the certificate as a token are present. Although thisdisclosure describes trust level 920 depending upon particular types oftokens, this disclosure contemplates trust level 920 depending upon anysuitable types of tokens.

Risk levels 930 may indicate the overall risk associated with grantinguser 112 and device 114 access to resource 145 over network 120. Ahigher risk level may indicate that the user 112, device 114, and/ornetwork 120 presents a higher security risk associated with accessingthe resource 145. In particular embodiments, a higher risk level 930 mayindicate that more secure forms of authentication may be required toaccess the resource 145. As an example and not by way of limitation,user 112 may gain access to resource 145 despite a high risk level 930by providing higher levels of user authentication, for example, throughbiometric scans. Risk levels 930 may be determined from risk tokens 115m computed from dataset token 115 l, as described with respect to FIG.6. In particular embodiments, risk level 930 may be adjusted. As anexample and not by way of limitation, user 112 may lower risk level 930by securing network 120. Although this disclosure describes risk level930 depending upon particular types of tokens, this disclosurecontemplates risk level 930 depending upon any suitable types of tokens.

Identity assurance level 940 may indicate the strength of authenticationpresented by user 112 and device 114. A higher identity assurance level940 may indicate that user 112 has provided more secure forms ofauthentication. As an example and not by way of limitation, user 112 mayraise identity assurance level 940 by performing biometricauthentication. In particular embodiments, identity assurance levels 940may depend upon subject tokens 115 k and hard tokens 115 g. As anexample and not by way of limitation, identity assurance levels 940 maydepend upon Trusted Platform Module (TPM) tokens, Kerberos tokens,Security Assertion Markup Language (SAML) tokens, Single Sign-On (SSO)tokens, win SSO tokens, ping tokens, netegrity tokens, openauthentication tokens, MAC tokens, IP address tokens, user ID tokens,and password tokens. As an example and not by way of limitation, TBACmodule 110 may store a user ID token and a password token. TTT1 rule 830may specify that the identity assurance level 940 is a 2 if a user IDtoken and a password token are present. Based on TTT1 rule 830, TBACmodule 110 may determine that the identity assurance level 940 is a 2because the user ID token and the password token are present. Althoughthis disclosure describes identity assurance levels 940 depending uponparticular types of tokens, this disclosure contemplates identityassurance levels 940 depending upon any suitable types of tokens.

In particular embodiments, TBAC module 110 may use the integrity level910, trust level 920, risk level 930, and identity assurance level 940to make, based on TTT1 rule 830, an access decision 900. As an exampleand not by way of limitation, TTT1 rule 830 may indicate that in orderto grant access to a resource 145, integrity level 910, trust level 920,and identity assurance level 940 must be at least a 7. If, based on thetokens 115 correlated with session token 115 j, the integrity level 910is an 8, the trust level 920 is a 9, and the identity assurance level940 is a 6, then TBAC module 110 will deny access to the resource 145.If, however, the integrity level 910 is an 8, the trust level 920 is a9, and the identity assurance level 940 is a 7, then TBAC module 110will grant access to the resource 145. In particular embodiments, TBACmodule 110 may condition access to the resource 145. In such cases, TBACmodule 110 may attach conditions to the decision grant or deny access tothe resource 145. A more detailed description of conditioning access isprovided with respect to FIGS. 19 and 20.

FIG. 10 is a flowchart illustrating a method 1000 of making an accessdecision 900. TBAC module 110 may perform method 1000. As provided inFIG. 10, TBAC module 110 may begin by storing a hard token 115 g,compliance token 115 h, VM token 115 i, subject token 115 k, datasettoken 115 l, risk token 115 m, and a session token 115 j, among others,as appropriate, in step 1010. TBAC module 110 may continue by accessingthe TTT1 rules 830 in step 1020 to determine various levels 850. In step1030, TBAC module 110 may determine, by the TTT1 rules 830, an integritylevel 910 associated with risk token 115 m and network token 115 f. TBACmodule 110 may continue by determining, by the TTT1 rules 830, a trustlevel 920 associated with resource token 115 c and subject token 115 kin step 1040. In step 1050, TBAC module 110 may determine, by the TTT1rules 830, a risk level 930 associated with the risk token 115 m in step1040. TBAC module 110 may continue by determining, by the TTT1 rules830, an identity assurance level 940 associated with subject token 115 kand hard token 115 a in step 1060. After the various levels 850 havebeen determined, TBAC module 110 may determine what type of accessshould be granted to a requested resource 145 based on the integritylevel 910, trust level 920, risk level 930, and identity assurance level940 in step 1070. If TBAC module 110 determines access should be denied,then TBAC module 110 may generate a decision token 115 n representingthe denial of access in step 1080. If access should be granted, thenTBAC module 110 may generate a decision token 115 n representing thegrant of access in step 1085. If access should be conditioned, then TBACmodule 110 may generate a decision token 115 n representing theconditioning of access in step 1090. TBAC module 110 may conclude bycommunicating the decision token 115 n to a resource provider 140 tofacilitate enforcement of the access decision 900 in step 1070.

In particular embodiments, by examining tokens 115 rather thanattributes 425 in making an access decision 900, TBAC module 110 mayincrease the speed and efficiency of the decision-making process.Furthermore, by examining tokens 115, TBAC module 110 may lighten theprocessing load on processor 132 and memory 134 by focusing more onmaking the access decision 900 rather than on individual attributes 425and the relationships between the attributes 425.

FIGS. 11 and 12 illustrate system 100 performing the re-authenticationfunction. In general, TBAC module 110 may re-authenticate a user 112when a change occurs that challenges or puts into question the integrityof the authentication of user 112. TBAC module 110 may determine thatthe change sufficiently challenges the integrity of the authenticationof user 112. In response, TBAC module 110 may block the user 112 fromaccessing a resource and may request user 112 enter a password to regainaccess to the resource.

With regards to the re-authentication process, TBAC module 110 mayrequest the password be a one-time password (that is, a subsequentlygenerated password may not be the same as a previously generatedpassword) generated using the personal information of the user 112. TBACmodule 110 may then request user 112 to enter the one-time password.Included in the request 1110 may be a message instructing the user 112how to form the one-time password. If the user 112 enters the one-timepassword correctly, then TBAC module 110 may consider the user 112re-authenticated. This process of determining when a change sufficientlychallenges the integrity of the authentication of the user 112 and thesubsequent generation and request of a one-time password is referred toas re-authentication, which is discussed further with respect to FIGS.11 and 12.

FIG. 11 illustrates the system 100 of FIG. 1 re-authenticating a user112. As provided in FIG. 11, TBAC module 110 may store a plurality oftoken 115 to indicate that user 112 may be using device 114 to consumeresource 145 over network 120. TBAC module 110 may receive a token 115that indicates a change has occurred in network 120, resource 145, ordevice 114. As an example and not by way of limitation, token 115 mayindicate that traffic over network 120 is experiencing jitter. Asanother example and not by way of limitation, token 115 may indicatethat the access requirements of resource 145 may have changed. Althoughthis disclosure describes token 115 indicating particular changes, thisdisclosure contemplates token 115 indicating any changes in network 120,resource 145, or device 114.

In response to detecting token 115, TBAC module 110 may access userre-authentication (UUU1) rules 1130 stored in memory 134. In particularembodiments, UUU1 rules 1130 may specify what changes indicated by token115 trigger re-authentication. If a particular UUU1 rule 1130 specifiesthat the change indicated by token 115 triggers re-authentication, thenTBAC module 110 may begin the re-authentication process. As an exampleand not by way of limitation, if token 115 indicates that network 120 isexperiencing jitter and a particular UUU1 rule 1130 specifies thatjitter should trigger the re-authentication process, then TBAC module110 may initiate the re-authentication process.

TBAC module 110 may initiate the re-authentication process by requestingthe generation of a password using the personal information of the user112. TBAC module 110 may send the request to a token provider such as,for example, the private token provider 128. In response, the tokenprovider may generate the password using personal information of theuser 112. As an example and not by way of limitation, in response to therequest, private token provider 128 may generate the password byappending the birth year of the user 112 to the last three digits of thesocial security number of the user 112. Although this disclosuredescribes the generation of the password using particular types ofpersonal information, this disclosure contemplates the generation of thepassword using the age of the user 112, the number of children user 112has, the age of the spouse of user 112, or any other suitable personalinformation. In particular embodiments, the password may be a one-timepassword, that is, a subsequently generated password may not be the sameas a previously generated password. As an example and not by way oflimitation, in response to a second request following the previouslydescribed request, private token provider 128 may generate anotherpassword that does not use the same information as the previouslygenerated password.

In particular embodiments, after the token provider generates thepassword, the token provider may generate a re-authentication token 115o that represents the generated password. The token provider may thencommunicate the re-authentication token 115 o to TBAC module 110. TBACmodule 110 may use re-authentication token 115 o to generate a requestfor a second password 1110. The request for the second password 1110 mayinclude instructions on how to form the second password. As an exampleand not by way of limitation, if re-authentication token 115 o includesa password that was generated by appending the birth year of the user112 to the last three digits of the social security number of the user,then the request for the second password may include the message:“Please form the second password by appending your birth year to thelast three digits of your social security number.” In particularembodiments, TBAC module 110 may communicate the request for the secondpassword 1110 to device 114. User 112 may view the request for thesecond password 1110 and enter the second password using device 114.Device 114 may send a response 1120 that includes the second password toTBAC module 110. TBAC module 110 may then compare the passwordrepresented by re-authentication token 115 o and the second passwordincluded within the response 1120. If the password and the secondpassword match, TBAC module 110 may consider user 112 re-authenticated.If they do not match, TBAC module 110 may terminate a sessionrepresented by session token 115 j or TBAC module 110 may resend therequest for the second password 1110 to device 114.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 11, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 11 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 11 includes all the elements of system 100in FIG. 1.

FIG. 12 is a flowchart illustrating a method 1200 of re-authenticating auser 112 using the system 100 of FIG. 1. TBAC module 110 may performmethod 1200. As provided in FIG. 12, TBAC module 110 may begin bystoring a hard token 115 g, compliance token 115 h, VM token 115 i,subject token 115 k, network token 115 f, and resource token 115 c,among others, as appropriate, in step 1210. The hard token 115 g may beassociated with a device 114. The resource token 115 c may be associatedwith a resource 145. The network token 115 f may be associated with anetwork 120. TBAC module 110 may continue by detecting a change in thenetwork 120, resource 145, or device 114 in step 1220. In particularembodiments, TBAC module 110 may detect a token 115 representing thechange. In response, TBAC module 110 may continue by accessing UUU1rules 1130 in step 1230. In step 1240, TBAC module 110 may determine,based on UUU1 rules 1130, whether the change triggers re-authentication.If not, TBAC module 110 may conclude. If the change does triggerre-authentication, TBAC module 110 may continue to step 1250 to requesta re-authentication token 115 o.

In step 1260, TBAC module 110 may receive the re-authentication token115 o. In particular embodiments, the re-authentication token 115 o mayinclude a password generated using personal information of user 112. Thepassword may be a one-time password. In step 1270, TBAC module 110 mayrequest a second password. In the request for the second password, TBACmodule 110 may include instructions on how to form the second password.In step 1280, TBAC module 110 may receive the second password. In step1290, TBAC module 110 may determine if the password and the secondpassword match. If not, TBAC module 110 may return to step 1270 andrequest the second password. In particular embodiments, TBAC module 110may also conclude if the password and second password do not match. Ifthe password and the second password do match, TBAC module 110 maycontinue to step 1295 to re-authenticate the user 112.

In particular embodiments, because TBAC module 110 uses tokens 115 todetect changes and to administer the re-authentication process, TBACmodule 110 may leverage information from numerous sources such as thenetwork 120, resource 145, and device 114 to accurately trigger there-authentication process. Furthermore, because TBAC module 110 utilizesone-time passwords generated from the personal information of the user112 during the re-authentication process, TBAC module 110 may provide amore secure re-authentication.

FIGS. 13 and 14 illustrate the system 100 combining authenticationmethods. In general, a user 112 may perform multiple methods ofauthentication during any session. For each method of authenticationperformed, system 100 may grant the user 112 a privilege such as forexample, an access right, edit right, or distribution right. System 100may further grant the user 112 privileges based on combinations ofauthentication methods performed. The process of determining theparticular combinations of authentication methods that yield thegranting of privileges is referred to as combining authenticationmethods, which is discussed further with respect to FIGS. 13 and 14.

In particular embodiments, TBAC module 110 may store multiple subjecttokens 115 k that indicate a user 112 has performed multiple forms ofauthentication. Each form of authentication may be associated with thegranting of a privilege 1310. TBAC module 110 may examine the multiplesubject tokens 115 k to determine if particular combinations of thesubject tokens 115 k may lead to the granting of privileges 1310. If acombination of the subject tokens 115 k does lead to the granting of aprivilege 1310, TBAC module 110 may generate a privilege token 115 p torepresent the privilege 1310. Privilege token 115 p may then becommunicated to facilitate the granting of the privilege 1310.

FIG. 13 illustrates the system 100 of FIG. 1 combining authenticationmethods. As provided in FIG. 13, TBAC module 110 may store a pluralityof subject tokens 115 k. As an example and not by way of limitation,TBAC module 110 may store a first subject token 115 k 1 and a secondsubject token 115 k 2. First subject token 115 k 1 may be correlatedwith second subject token 115 k 2. In particular embodiments, eachsubject token 115 k may indicate a different authentication method asanother subject token 115 k. As an example and not by way of limitation,first subject token 115 k 1 may indicate that user 112 has beenauthenticated with a user ID and password, and second subject token 115k 2 may indicate user 112 has been authenticated by providing correctanswers to security questions. Because each subject token 115 kindicates a particular authentication method, each subject token 115 kmay indicate a privilege 1310 or a set of privileges 1310 should begranted to user 112 for device 114. A privilege 1310 may grant a user112 the ability to perform certain operations. As an example and not byway of limitation, a privilege 1310 may grant the user 112 access to aresource, the ability to edit the resource, and/or the ability toterminate the resource. Although this disclosure describes privilege1310 granting the user 112 specific abilities, this disclosurecontemplates privilege 1310 granting the user 112 any suitable ability.

In particular embodiments, TBAC module 110 may detect whether acombination of authentication methods indicated by multiple subjecttokens 115 k may yield the granting of a privilege 1310. Using theprevious example, TBAC module 110 may detect a third subject token 115 k3 indicating user 112 has performed a third authentication method suchas a retina scan. TBAC module 110 may use the first subject token 115 k1, the second subject token 115 k 2, and the third subject token 115 k 3to access authentication method combination (III1) rules 1330 stored inmemory 134. III1 rules 1330 may specify the combinations ofauthentication methods that yield the granting of privileges 1310. TBACmodule 110 may use III1 rules 1330 to facilitate the granting ofprivileges 1310.

As an example and not by way of limitation, a particular III1 rule 1330may specify a privilege 1310 or a set of privileges 1310 to be grantedwhen a particular combination of authentication methods has beenperformed. Continuing the previous example, a particular III1 rule 1330may indicate that the combination of the user ID and passwordauthentication indicated by first subject token 115 k 1 and the retinascan authentication method indicated by third subject token 115 k 3yields the granting of a first privilege 1310 a. Another III1 rule 1330may specify that the combination of the security questionsauthentication method indicated by second subject token 115 k 2 and theretina scan authentication method indicated by third subject token 115 k3 yields the granting of a second privilege 1310 b. Yet another III1rule 1330 may specify that the combination of the user ID and passwordauthentication method indicated by first subject token 115 k 1, thesecurity questions authentication method indicated by second subjecttoken 115 k 2, and the retina scan authentication method indicated bythird subject token 115 k 3 yields the granting of a third privilege1310 c. Although this disclosure describes particular combinations ofsubject tokens 115 k yielding certain privileges 1310, this disclosurecontemplates any combination of any number of subject tokens 115 kyielding any number of privileges 1310. TBAC module 110 may use theseIII1 rules 1330 to facilitate the granting of first privilege 1310 a,second privilege 1310 b, and third privilege 1310 c to user 112.

To do so, TBAC module 110 may generate a privilege token 115 prepresenting the privileges 1310 granted to user 112. Continuing theprevious example, TBAC module 110 may generate a privilege token 115 prepresenting first privilege 1310 a, second privilege 1310 b, and thirdprivilege 1310 c granted as a result of particular combinations of firstsubject token 115 k 1, second subject token 115 k 2, and third subjecttoken 115 k 3. Privilege token 115 p may also represent other privileges1310 associated with the individual subject tokens 115 k.

In particular embodiments, TBAC module 110 may communicate privilegetoken 115 p to facilitate the granting of the privileges 1310represented by privilege token 115 p. As an example and not by way oflimitation, TBAC module 110 may communicate privilege token 115 p to aresource provider 140. In response, the resource provider 140 may grantuser 112 first privilege 1310 a, second privilege 1310 b, and thirdprivilege 1310 c associated with particular combinations of firstsubject token 115 k 1, second subject token 115 k 2, and third subjecttoken 115 k 3. In particular embodiments, TBAC module 110 may furthercorrelate the privilege token 115 p with the subject tokens 115 k.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 13, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 13 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 13 includes all the elements of system 100in FIG. 1.

FIG. 14 is a flowchart illustrating a method 1400 of combiningauthentication methods using the system 100 of FIG. 1. TBAC module 110may perform method 1400. As provided in FIG. 14, TBAC module 110 maybegin by storing a first subject token 115 k 1 indicating a firstauthentication method and a second subject token 115 k 2 indicating asecond authentication method in step 1410. As an example and not by wayof limitation, the first authentication method may be a user ID andpassword and the second authentication method may be providing correctanswers to a security question. TBAC module 110 may continue bydetecting a third subject token 115 k 3 indicating a thirdauthentication method in step 1420. Continuing the example, the thirdauthentication method may be a retina scan.

TBAC module 110 may determine whether particular combinations ofauthentication methods lead to the granting of privileges 1310. Tobegin, TBAC module 110 may access III1 rules 1330 in step 1430. In steps1440, 1450, and 1460, TBAC module 110 may determine based on III1 rules1330 whether particular combinations of the first subject token 115 k 1,the second subject token 115 k 2, and the third subject token 115 k 3yield the granting of particular privileges 1310. In step 1440, TBACmodule 110 may determine that the combination of the first and thirdauthentication methods yield the granting of a first privilege 1310 a.In step 1450, TBAC module 110 may determine that the combination of thesecond and third authentication methods yield the granting of a secondprivilege 1310 b. In step 1460, TBAC module 110 may determine thecombination of the first, second, and third authentication methodsyields the granting of a third privilege 1310 c.

If TBAC module 110 determines that the first privilege 1310 a, thesecond privilege 1310 b, and/or the third privilege 1310 c should begranted in steps 1440, 1450, and 1460, then TBAC module 110 may continueto steps 1470, 1480, and 1490 to indicate the first privilege 1310 a,the second privilege 1310 b, and/or the third privilege 1310 c should begranted. TBAC module 110 may continue to step 1495 to generate aprivilege token 115 p representing the privileges 1310 that should begranted. TBAC module 110 may conclude at step 1498 by communicating theprivilege token 115 p to facilitate the granting of the privileges 1310that should be granted.

In particular embodiments, because TBAC module 110 may examineparticular combinations of authentication methods to determine ifcertain privileges 1310 should be granted, system 100 may provide a morerobust process of determining and granting privileges 1310 to a user112. Furthermore, because TBAC module 110 examines tokens 115 ratherthan attributes 425 to determine the granting of privileges 1310, TBACmodule 110 may provide a faster and more efficient process ofdetermining and granting privileges.

FIGS. 15 and 16 illustrate system 100 reassigning privileges 1310. Ingeneral, a user 112 may be granted a privilege 1310 or set of privileges1310, and these privileges 1310 may define what actions the user 112 mayperform while accessing a resource 145. However, for security reasons,when changes occur in the system 100, the user 112 may be denied certainprivileges 1310 based on those changes. The process of detecting achange and determining which privileges 1310 to deny or grant isreferred to as reassigning privileges, which is discussed further withrespect to FIGS. 15 and 16.

TBAC module 110 may be facilitating access by a user 112 to resource 145over a network 120. User 112 may have been granted a privilege 1310associated with accessing resource 145. However, when TBAC module 110detects a change, for example in the network 120 or resource 145, it maynot be safe for the user 112 to continue having the privilege 1310. TBACmodule 110 may determine, based on the change, if the privilege 1310should be denied. If the privilege should be denied, TBAC module 110 maygenerate a token 115 that, when communicated, may facilitate the denialof privilege 1310.

FIG. 15 illustrates the system 100 of FIG. 1 reassigning privileges1310. As provided in FIG. 15, TBAC module 110 may store a subject token115 k, resource token 115 c, network token 115 f, risk token 115 m, andprivilege token 115 p, among others, as appropriate. These tokens 115may be correlated with a session token 115 j to indicate that user 112may be accessing a resource 145 through a session. Furthermore, resourcetoken 115 p may represent a set of privileges 1310 granted to user 112.Each privilege 1310 in the set of privileges 1310 d may grant user 112 acertain ability while device 114 consumes resource 145. As an exampleand not by way of limitation, a privilege 1310 in the set of privileges1310 d may grant user 112 the ability to edit resource 145.

TBAC module 110 may be monitoring the session while user 112 isaccessing resource 145. In particular embodiments, TBAC module 110 mayreceive a token 115 that indicates a change has occurred in system 100.This change may correspond to a change in any of the tokens 115 storedin TBAC module 110, and may affect the privileges 1310 granted to user112. TBAC module 110 may determine the effect of the change on the setof privileges 1310 d and facilitate the revoking and granting ofprivileges 1310 to user 112 pursuant to the privilege reassignmentprocess.

TBAC module 110 may initiate the privilege reassignment process bycommunicating token 115 and risk token 115 m to the computed risk tokenprovider 124. In response, computed risk token provider 124 mayrecompute risk token 115 m based on the change represented by token 115to produce a recomputed risk token 115 m 2. Computed risk token provider124 may communicate the recomputed risk token 115 m 2 to TBAC module110.

TBAC module 110 may use the recomputed risk token 115 m 2 to facilitatethe revoking and granting of privileges 1310. TBAC module 110 may userecomputed risk token 115 m 2 to access privilege reassignment (PPP2)rules 1530 stored in memory 134 to determine the privileges 1310 fromthe set of privileges 1310 d that should be revoked and granted based onthe risk associated with the change indicated by token 115. As anexample and not by way of limitation, a particular PPP2 rule 1530 mayspecify that, based on the change, a privilege 1310 to edit resource 145may be revoked and a privilege 1310 to email the resource 145 may begranted. TBAC module 110 may add to the set of privileges 1310 d theprivileges 1310 that should be granted, and remove from the set ofprivileges 1310 d the privileges 1310 that should be revoked. Continuingthe previous example, based on the particular PPP2 rule, TBAC module 110may remove from the set of privileges 1310 d the privilege 1310 to editresource 145 and add to the set of privileges 1310 d the privilege toemail the resource 145.

TBAC module 110 may add and remove privileges 1310 from the set ofprivileges 1310 d to form a new set of privileges 1310 e. TBAC module110 may generate a new privilege token 115 p 2 to represent the new setof privileges 1310 e. TBAC module 110 may then communicate the newprivilege token 115 p 2 to facilitate the reassignment of the newprivileges 1310 e to user 112. In particular embodiments, TBAC module110 may communicate the new privilege token 115 p 2 to resource provider140 to facilitate the granting and revoking of privileges 1310. Inresponse, resource provider 140 may revoke the privileges 1310 thatshould be revoked and grant the privileges 1310 that should be granted.In this manner, TBAC module 110 may use tokens 115 to reassignprivileges 1310 to user 112 during runtime. In particular embodiments,TBAC module 110 may further use recomputed risk token 115 m 2 to make anaccess decision 900 following the process discussed with respect toFIGS. 8-10.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 15, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 15 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 15 includes all the elements of system 100in FIG. 1.

FIG. 16 is a flowchart illustrating a method 1600 of reassigningprivileges 1310 using the system 100 of FIG. 1. TBAC module 110 mayperform method 1600. TBAC module 110 may begin by storing a subjecttoken 115 k, a resource token 115 c, a network token 115 f, a privilegetoken 115 p, a risk token 115 m, and a session token 115 j, amongothers, as appropriate, as a plurality of tokens 115 in step 1610. Instep 1620, TBAC module 110 may detect a token 115 indicating a change inat least one of the tokens 115 in the plurality of tokens 115. Inresponse, TBAC module 110 may communicate the token 115 and theplurality of tokens 115 to the computed risk token provider 124 torecompute the risk token 115 m in step 1630. TBAC module 110 may receivea recomputed risk token 115 m 2 in step 1640.

TBAC module 110 may begin reassigning privileges using the recomputedrisk token 115 m 2. To begin, TBAC module 110 may generate a set ofprivileges 1310 d granted to the user 112 represented by the privilegetoken 115 p in step 1650. In step 1660, TBAC module 110 may access PPP2rules 1530. In particular embodiments, TBAC module 110 may use therecomputed risk token 115 m 2 to access PPP2 rules 1530 to determinewhich privileges 1310 should be added to and removed from the set ofprivileges 1310 d. In step 1670, TBAC module 110 may determine whichprivileges 1310 in the set of privileges 1310 d should be revoked. Instep 1680, TBAC module 110 may remove the privileges 1310 from the setof privileges 1310 d that should be revoked. In step 1675, TBAC module110 may determine which privileges 1310 not in the set of privileges1310 d should be granted. In step 1685, TBAC module 110 may add theprivileges 1310 to the set of privileges 1310 d that should be granted.By adding and removing privileges 1310, TBAC module 110 will produce anew set of privileges 1310 e. TBAC module 110 may continue by generatinga new privilege token 115 p 2 representing the new set of privileges1310 e. TBAC module 110 may conclude by communicating the new privilegetoken 115 p 2 to facilitate the updating of the privileges 1310 of theuser 112.

In particular embodiments, because system 100 may detect when aprivilege 1310 should be denied while user 112 is accessing resource145, system 100 may provide a more robust and dynamic privilegingprocess. Furthermore, because TBAC module 110 uses tokens 115 toreassign privileges, system 100 may perform privilege reassignmentfaster and more efficiently.

FIGS. 17 and 18 illustrate system 100 performing packet prioritization.In general, some users 112 of system 100 may be more important thanother users 112. It may be desirable to prioritize the tasks of theimportant users 112 over the tasks of the other users 112. To accomplishthis, system 100 may prioritize packets 1725 by processing the networkpackets 1720 of the important users 112 before the network packets 1725of the other users 112. The process of determining a user 112 isimportant and prioritizing the packets of the important user 112 isreferred to as packet prioritization, which is discussed further withrespect to FIGS. 19 and 20.

TBAC module 110 may facilitate access by a user 112 to a resource 145.TBAC module 110 may determine that user 112 is a high priority user andshould have his packets processed before the packets of other users 112.TBAC module 110 may generate a token 115 to indicate that user 112 is ahigh priority user. TBAC module 110 may communicate the token 115 tofacilitate the prioritization of the packets of user 112.

FIG. 17 illustrates the system 100 of FIG. 1 prioritizing packets 1725.As provided in FIG. 17, TBAC module 110 may store a hard token 115 g(that may include a device identifier that identifies a device 114) anda compliance token 115 h to indicate that device 114 is capable ofconsuming a resource 145. In particular embodiments, TBAC module 110 mayreceive a subject token 115 k indicating the priority of user 112. As anexample and not by way of limitation, subject token 115 k may include auser identifier that indicates that user 112 is a high priority user. Inparticular embodiments, subject token 115 k may be correlated with hardtoken 115 g to associate the high priority user 112 with device 114. Asan example and not by way of limitation, correlating the hard token 115g with the subject token 115 k may indicate that the device 114 is beingused by the high priority user 112.

TBAC module 110 may use subject token 115 k to access packetprioritization (PPP1) rules 1730 stored in memory 134 to determine thepriority of user 112. As an example and not by way of limitation, aparticular PPP1 rule 1730 may specify that user 112 associated withsubject token 115 k should be prioritized above all other users 112 inthe system 100. As a result, by applying the particular PPP1 rule 1730,TBAC module 110 may determine that the user 112 associated with subjecttoken 115 k is a high priority user 112 and that packets from the highpriority user 112 should be processed before packets from any other user112 of system 100.

TBAC module 110 may generate a notification token 115 q indicating thepriority of user 112. In particular embodiments, notification token 115q may include the user identifier associated with the high priority user112 and the device identifier associated with the device 114 of the highpriority user 112. Notification token 115 q further include instructionson how to prioritize packet 1720 from user 112. As an example and not byway of limitation, if user 112 is a high priority user, notificationtoken 115 q may include instructions to prioritize packet 1720 from user112. TBAC module 110 may then communicate notification token 115 q tonetwork 120. In particular embodiments, TBAC module 110 may communicatenotification token 115 q to a network component of network 120 such as,for example, a router, a switch, a gateway, or a server such as a securetoken server. In response, network 120 may recognize packet 1720 fromuser 112 as a high priority packet 1720 and prioritize high prioritypacket 1720 over other packets 1725. As an example and not by way oflimitation, network 120 may process high priority packets 1720 before itprocesses other packets 1725 even if the other packets 1725 arrived atnetwork 120 prior to the high priority packet 1720.

In this manner, a process associated with the high priority user 112 maybe prioritized over the process of another user 112. As an example andnot by way of limitation, high priority user 112 may be authenticatedprior to other users 112 because the packets 1720 of high priority user112 are prioritized over the packets 1725 of other users 112. As anotherexample and not by way of limitation, by prioritizing packets 1720 fromhigh priority user 112, high priority user 112 may be authorized toaccess a resource 145 before other users 112 of the system 100. Althoughthis disclosure describes prioritizing particular processes of highpriority user 112, this disclosure contemplates prioritizing anysuitable process of high priority user 112. In general, TBAC module 110may communicate a session associated with the high priority user 112 tonetwork 120 such that all packets 1720 associated with the session ofthe high priority user 112 may be prioritized over the packets 1725 ofother users 112. TBAC module may further designate the session token 115j associated with the session as a high priority session token 115 j.

As yet another example and not by way of limitation, TBAC module 110 mayprioritize the provisioning of a container 210 to device 114 associatedwith the high priority user 112 by prioritizing the packets 1720 of thehigh priority user 112. TBAC module 110 may communicate a token 115 tofacilitate the provisioning of a container 210 to device 114. Container210 may include a virtual machine. If notification token 115 q indicatesthat user 112 is a high priority user, network 120 may process thepackets 1720 associated with token 115 before processing the packets1725 of other users 112 of system 100. As a result, network 120 mayfacilitate the provisioning of the container 210 to device 114 beforeprocessing other packets 1725. As an example and not by way oflimitation, if a high priority user 112 and another user 112 were bothwaiting for a container 210 to be provisioned to their devices 114,network 120 may prioritize the packets 1725 of the high priority user112 thereby resulting in the provisioning of the container 210 to thehigh priority user 112 prior to provisioning of the container 210 to theother user 112. Although this disclosure describes TBAC module 110performing certain actions with respect to FIG. 17, this disclosurecontemplates the processor 132 and the memory 134 of the TBAC module 110performing these actions. The illustration of system 100 in FIG. 17 doesnot specifically illustrate all of the elements from the illustration ofsystem 100 in FIG. 1 so that particular aspects of system 100 may beemphasized. However, system 100 of FIG. 17 includes all the elements ofsystem 100 in FIG. 1.

FIG. 18 is a flowchart illustrating a method 1800 of prioritizingpackets 1725 using the system 100 of FIG. 1. TBAC module 110 may performmethod 1800. As provided by FIG. 18, TBAC module 110 may begin bystoring a hard token 115 g, a compliance token 115 h, and a sessiontoken 115 j, among others, as appropriate, in step 1810. TBAC module 110may continue by receiving a subject token 115 k indicating the priorityof a user 112 in step 1820. In particular embodiments, the subject token115 k may indicate the user 112 is a high priority user. In particularembodiments, in response to the determination that the user 112 is ahigh priority user, the session token 115 j may be designated a highpriority session token. TBAC module 110 may continue by accessing PPP1rules 1730 in step 1830. In step 1840, TBAC module 110 may determine,based on PPP1 rules 1730, if the user 112 is a high priority user. Ifthe user 112 is not a high priority user, TBAC module 110 may conclude.

If the user 112 is a high priority user, TBAC module 110 may initiatepacket prioritization for the high priority user. To begin, TBAC module110 generate a notification token 115 q that includes a user identifieridentifying the high priority user and a device identifier identifying adevice 114 of the high priority user in step 1850. TBAC module 110 mayconclude in step 1860 by communicating the notification token 115 q toat least one network component to instruct the network component toprioritize packet communications associated with the high priority useror the device 114 of the high priority user.

In particular embodiments, by prioritizing the packets of certain users112, system 100 may provide more dynamic functionality to users 112.Furthermore, because TBAC module 110 uses tokens 115 to facilitatepacket prioritization, system 100 may be able to quickly and efficientlydetermine when to prioritize the packets of a certain user.

FIGS. 19 and 20 illustrate system 100 conditioning an access decision900. In some instances, making an access decision 900 may be morecomplicated than granting or denying access. There may be conditions1910 attached to those decisions. For example, a decision to deny may beaccompanied with a condition 1910 that, if satisfied, may result in thegranting of access. The process of determining conditions 1910 andcommunicating the conditions 1910 is referred to as conditioning, whichis discussed further with respect to FIGS. 19 and 20.

TBAC module 110 may make an access decision 900 following the processdiscussed with respect to FIGS. 8-10. In addition to making a decisionto grant or deny access, TBAC module 110 may determine conditionsassociated with the decision to grant or deny access. TBAC module 110may generate a decision token 115 n that represents the condition, andmay communicate the decision token 115 n to facilitate enforcement ofthe condition.

FIG. 19 illustrates the system 100 of FIG. 1 conditioning an accessdecision 900. As provided in FIG. 19, TBAC module 110 may store a hardtoken 115 g, a compliance token 115 h, a VM token 115 i, a subject token115 k, a dataset token 115 l, a risk token 115 m, and a session token115 j, among others, as appropriate. These tokens 115 may indicate auser 112 is requesting access to a resource 145 over a network 120.Using these tokens 115, TBAC module 110 may make an access decision 900following the process described with respect to FIGS. 8 through 10.

In addition to making an access decision 900, TBAC module 110 maydetermine a condition 1910 associated with the access decision 900. TBACmodule 110 may use the stored tokens 115 to access conditioning (DDD1)rules 1930 stored in memory 134 to determine the condition 1910. Aparticular DDD1 rule 1930 may specify a condition 1910 associated withaccessing a particular resource 145. In particular embodiments, thecondition 1910 may include an obligation 1920, and/or a message 1940associated with the access decision 900.

Condition 1910 may include an obligation 1920 to be fulfilled inconjunction with enforcing the access decision 900. In particularembodiments, obligation 1920 must be performed in conjunction withenforcing the access decision 900. As an example and not by way oflimitation, obligation 1920 may indicate that resource provider 140 mustsynchronize its system clock with the network 120 clock before grantingaccess to a resource 145. In certain embodiments, obligation 1920 may beoptional with respect to enforcing the access decision 900. As anexample and not by way of limitation, obligation 1920 may recommend thatresource provider 140 may synchronize its system clock with the network120 clock before granting access to a resource 145.

Obligation 1920 may indicate a task to be performed by a component ofsystem 100 upon receiving the access decision 900 along with theobligation 1920. As an example and not by way of limitation, obligation1920 may be synchronizing a system clock of the resource provider 140with a clock on a network 120. Upon receiving the access decision 900along with the obligation 1920 to synchronize a system clock, resourceprovider 140 may enforce the access decision 900 and synchronize itssystem clock with a clock on network 120. As another example and not byway of limitation, obligation 1920 may be initializing the logging oferrors and performance metrics related with enforcing the accessdecision 900. Upon receiving the access decision 900 along with theobligation 1920, resource provider 140 may enforce the access decision900 and initialize the logging of errors and performance metrics relatedwith enforcing the access decision. As yet another example and not byway of limitation, obligation 1920 may be tracking transactions overnetwork 120. Upon receiving the access decision 900 along with theobligation 1920, resource provider 140 may enforce the access decision900 and begin tracking transactions associated with a requested resource145.

Obligation 1920 may indicate a task to be performed by user 112 beforeaccess to the resource 145 may be granted. As an example and not by wayof limitation, obligation 1920 may indicate that a peripheral devicesuch as a USB drive is attached to device 114 and that the peripheraldevice should be removed before access may be granted to resource 145.During enforcement of an access decision 900, user 112 may be notifiedto remove the peripheral device. If user 112 removes the peripheraldevice from device 114, obligation 1920 may be satisfied and access toresource 145 may be granted to user 112. As another example, and not byway of limitation, obligation 1920 may indicate that informationrequired to access resource 145 such as, for example, the birthday ofthe user 112 may be missing. If user 112 supplies the missinginformation, for example by entering the birthday into device 114,obligation 1920 may be satisfied and access to resource 145 may begranted.

Condition 1910 may include a message 1940. Message 1940 may provide anexplanation for the access decision 900. As an example and not by way oflimitation, if access to resource 145 was denied because user 112 wasnot of a particular age, message 1940 may state that access was deniedbecause user 112 was not old enough. As another example and not by wayof limitation, if access to resource 145 was granted because user 112was exempt from an age restriction, message 1940 may state that accesswas granted because user 112 is exempt from the age restriction. Message1940 may further provide instructions on how to fulfill obligation 1920.For example, if obligation 1920 indicates that user 112 should remove aUSB drive attached to device 114 before access may be granted, message1940 may instruct user 112 to remove the USB drive.

In particular embodiments, TBAC module 110 may generate a decision token115 n representing condition 1910. In certain embodiments, decisiontoken 115 n may also represent the access decision 900. TBAC module 110may communicate decision token 115 n to resource provider 140 tofacilitate the enforcement of the access decision 900 and the condition1910.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 19, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 19 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 19 includes all the elements of system 100in FIG. 1.

FIG. 20 is a flowchart illustrating a method 2000 of conditioning accessdecisions 900 using the system 100 of FIG. 1. TBAC module 110 mayperform method 2000. As provided in FIG. 20, TBAC module 110 may beginby storing a hard token 115 g, compliance token 115 h, VM token 115 i,subject token 115 k, risk token 115 m, and session token 115 j, amongothers, as appropriate, as a plurality of tokens in step 2010. TBACmodule 110 may continue by accessing DDD1 rules 1930 in step 2020. Instep 2030, TBAC module 110 may determine if there is a condition 1910associated with the plurality of tokens. If there is no condition 1910associated with the plurality of tokens, TBAC module 110 may conclude.

If there is a condition 1910 associated with the plurality of tokens,TBAC module 110 may initiate conditioning. To begin, TBAC module 110 maycontinue to steps 2040 and 2042. In step 2040, TBAC module 110 maydetermine if the condition 1910 includes an obligation 1920. If thecondition 1910 does include an obligation 1920, TBAC module 110 maycontinue to step 2050 to indicate the obligation 1920 should be includedin a decision token 115 n. In step 2042, TBAC module 110 may determineif the condition 1910 includes a message 1940. If the condition 1910includes a message 1940, TBAC module 110 may continue to step 2052 toindicate the message 1940 should be included in a decision token 115 n.TBAC module 110 may continue to step 2060 to generate the decision token115 n with the obligation 1920 and/or message 1940 if they are indicatedto be included in the decision token 115 n. TBAC module 110 may concludein step 2070 by communicating the decision token 115 n.

In particular embodiments, because system 100 may place conditions onaccess decisions 900, system 100 may make more robust access decisions900. Furthermore, because TBAC module 100 uses tokens to performconditioning, system 100 may make an access decision 900 quicker andmore efficiently.

FIGS. 21 and 22 illustrate the system 100 accessing related resources145 b. In general, certain resources 145 may share a relationship withsome related resources 145 b. For example, a computer resource mayinclude several sub-resources such as an email client, a word processor,and a browser. When system 100 determines whether a user 112 may accessa resource 145, system 100 may also determine, based on access to theresource 145, whether there are any related resources 145 b that user112 may also access. This process of determining access to relatedresources 145 b is discussed further with respect to FIGS. 21 and 22.

TBAC module 110 may make an access decision 900 for a resource 145following the process discussed with respect to FIGS. 8-10. TBAC module110 may also make an access decision 900 for any related resources 145 bthat share a relationship with the resource 145. For example, user 112may frequently access the related resource 145 b while the user 112accesses the resource 145. TBAC module 110 may provide the user 112 witha better and more seamless user experience by determining access to therelated resource 145 b based on the access decision 900 for the resource145.

FIG. 21 illustrates the system 100 of FIG. 1 making an access decision900 for a related resource 145 b. As provided in FIG. 21, TBAC module110 may store hard token 115 g, compliance token 115 h, VM token 115 i,subject token 115 k, resource token 115 c, risk token 115 m, and sessiontoken 115 j, among others, as appropriate. These tokens 115 may indicatethat a user 112 is attempting to access a resource 145. TBAC module 110may use these tokens 115 to make an access decision 900 following theprocess described with respect to FIGS. 8-10. In particular embodiments,while making the access decision 900, TBAC module 110 may determine anauthorization level 2110 associated with access by the user 112 to theresource 145. The authorization level 2110 may be a numerical value. Ifthe value of authorization level 2110 is above a certain threshold, thenuser 112 may be granted access to resource 145. In particularembodiments, TBAC module 110 may use the authorization level 2110 todetermine if user 112 may be granted access to any related resources 145b that share a relationship with resource 145.

To accomplish this, TBAC module 110 may use authorization level 2110 toaccess resource relationship (RRR3) rules 2130 stored in memory 134.RRR3 rules 2130 may specify a related resource 145 b that shares arelationship with the resource 145. As an example and not by way oflimitation, a particular RRR3 rule 2130 may specify that resource 145 isa composite resource that includes several sub-resources, and relatedresource 145 b may be a sub-resource of resource 145. As another exampleand not by way of limitation, a particular RRR3 rule 2130 may specifythat related resource 145 b is a frequently accessed resource inconjunction with accessing resource 145. Although this disclosuredescribes related resource 145 b sharing particular relationships withresource 145, this disclosure contemplates related resource 145 bsharing any suitable relationship with resource 145. Based onauthorization level 2110, TBAC module 110 may determine that user 112 isauthorized to access related resource 145 b. As an example and not byway of limitation, TBAC module 110 may determine that the authorizationlevel 2210 is an 8. If an authorization level 2110 of at least 7 isrequired to access the related resource 145 b, then TBAC module 110 maygrant access to the related resource 145. As another example and not byway of limitation, if resource 145 includes several sub-resources, oneof which is related resource 145 b, an authorization level 2210 of an 8may be sufficient to access the related resource 145 b, but it may notbe sufficient to access other sub-resources of resource 145. In thatcase, user 112 may be granted access to related resource 145 b, butother sub-resources may be hidden or inaccessible.

In particular embodiments, TBAC module 110 may generate a decision token115 n representing the determination that user 112 is authorized toaccess related resource 145 b. TBAC module 110 may communicate decisiontoken 115 n to resource provider 140 to facilitate enforcement of thedecision to grant access to the related resource 145 b. In response,resource provider 140 may grant user 112 access to related resource 145b. In particular embodiments, TBAC module 110 may further receive arecomputed risk token 115 m 2 representing the risk associated withgranting the user 112 access to the resource 145 and the relatedresource 145 b. Recomputed risk token 115 m 2 may be computed based onaccess by the user 112 to resource 145 and related resource 145 b, notjust resource 145.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 21, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 21 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 21 includes all the elements of system 100in FIG. 1.

FIG. 22 is a flowchart illustrating a method 2200 of making an accessdecision 900 for a related resource 145 b using the system 100 ofFIG. 1. TBAC module 110 may perform method 2200. As provided in FIG. 22,TBAC module 110 may begin by storing a hard token 115 g, compliancetoken 115 h, VM token 115 i, subject token 115 k, resource token 115 c,risk token 115 m, and session token 115 j, among others as appropriateas a plurality of tokens in step 2210. TBAC module 110 may continue bystoring an authorization level 2110 associated with access by a user 112to a resource 145 in step 2220. In particular embodiments, if theauthorization level 2110 is above a certain threshold then user 112 maybe granted access to the resource 145. TBAC module 110 may continue byaccessing RRR3 rules 2130 in step 2230. In step 2240, method 2200 maydetermine, based on RRR3 rule 2130, if there is a related resource 145 bthat shares a relationship with the resource 145. If there is no relatedresource 145 b, TBAC module 110 may conclude. If there is a relatedresource 145 b, TBAC module 110 may continue to step 2250 to determineif the user 112 is authorized to access the related resource 145 b basedon the authorization level 2110. If the user is not authorized to accessthe related resource, TBAC module 110 may conclude. If the user 112 isauthorized to access the related resource 145 b, TBAC module 110 maycontinue to step 2260 to generate a decision token 115 n indicating thatuser 112 should be granted access to the related resource 145 b. TBACmodule 110 may then conclude at step 2270 by communicating the decisiontoken 115 n to facilitate access to the related resource 145 b.

In particular embodiments, because system 100 may determine access torelated resources 145 b, system 100 may provide a more seamless userexperience for a user 112. Furthermore, because TBAC module 110 usestokens to determine access to the related resources 145 b, system 100may determine access to the related resources 145 b quicker and moreefficiently.

FIGS. 23 and 24 illustrate the system 100 performing a real-time riskupdate. In general, changes may occur in the system 100 while a user 112is accessing a resource 145. These changes may pose risks, such assecurity risks, for the system 100, and access to the resource 145 maybe cut off because of these risks. The process of detecting a change anddetermining the risk posed by the change is referred to as real-timerisk updating, which is discussed further with respect to FIGS. 23 and24.

TBAC module 110 may detect changes in system 100 while monitoring asession and determine whether those changes trigger a real-time riskupdate. If a change does trigger a real-time risk update, TBAC module110 may request a real-time risk update in the form of a recomputed risktoken 115 m 2. TBAC module 110 may then use the recomputed risk token115 m 2 to make an access decision 900 following the process describedwith respect to FIGS. 8-10.

FIG. 23 illustrates the system 100 of FIG. 1 updating risk in real-time.As provided in FIG. 23, TBAC module 110 may store a hard token 115 g, asubject token 115 k, a resource token 115 c, a network token 115 f, arisk token 115 m, and a session token 115 j, among others asappropriate, as a plurality of tokens. The plurality of tokens mayindicate a user 112 is accessing a resource 145 over network 120. TBACmodule 110 may receive a token 115 that indicates a change associatedwith accessing a resource 145. In particular embodiments, token 115 mayfurther indicate that a change has occurred to at least one token 115 inthe plurality of tokens. In response to receiving token 115, TBAC module110 may use token 115 and/or the plurality of tokens to access real-timerisk (RRR2) rules 2330 stored in memory 134. In particular embodiments,RRR2 rules 2330 may specify which changes indicated by token 115 maytrigger a risk update. As an example and not by way of limitation, aparticular RRR2 rule 2330 may specify that jitter over network 120 maytrigger a risk update. If token 115 indicates that network 120 isexperiencing jitter, then token 115 may trigger a risk update.

To initiate the risk update, TBAC module 110 may generate a new datasettoken 115 l 2 that represents the token 115 and the plurality of tokens.As an example and not by way of limitation, if token 115 is a networktoken 115 f indicating that network 120 is experiencing jitter, then newdataset token 115 l 2 may indicate the presence of the network token 115f indicating jitter over the network 120. New dataset token 115 l 2 mayfurther indicate the presence of the tokens 115 in the plurality oftokens. For example, new dataset token 115 l 2 may also indicate thepresence of risk token 115 m, which represents a risk associated withaccessing the resource before the change. In this manner, new datasettoken 115 l 2 may represent both the state of system 100 prior to thechange and the change itself.

TBAC module 110 may communicate the new dataset token 115 l 2 to thecomputed risk token provider 124. In response, computed risk tokenprovider 124 may include the change indicated by token 115 inrecomputing the risk represented by risk token 115 m. In this manner,the recomputed risk may represents the risk associated with continuingaccess to the resource with the change. After recomputing the risk,computed risk token provider 124 may generate a recomputed risk token115 m 2 that represents the recomputed risk. In particular embodiments,computed risk token provider 124 may communicate the recomputed risktoken 115 m 2 to TBAC module 110. In response, TBAC module 110 mayincorporate recomputed risk token 115 m 2 into the plurality of tokens.As an example and not by way of limitation, TBAC module 110 may replacerisk token 115 m with recomputed risk token 115 m 2. As another exampleand not by way of limitation, TBAC module 110 may include recomputedrisk token 115 m 2 into the plurality of tokens in addition to the risktoken 115 m.

In particular embodiments, the recomputed risk represented by recomputedrisk token 115 m 2 may affect an access decision 900 previously made byTBAC module 110 following the process discussed with respect to FIGS.8-10. In that case, TBAC module 110 may perform that process again withthe recomputed risk token 115 m 2 to produce a new access decision 900.In particular embodiments, TBAC module 110 may generate a decision token115 n that represents the new access decision 900. TBAC module 110 maythen communicate decision token 115 n to facilitate enforcement of thenew access decision 900. In particular embodiments, TBAC module 110 maycommunicate the decision token 115 n to the resource provider 140.

Although this disclosure describes TBAC module 110 and computed risktoken provider 124 performing certain actions with respect to FIG. 23,this disclosure contemplates the processor 132 and the memory 134 of theTBAC module 110 and the processor 132 of the computed risk tokenprovider 124 performing these actions. The illustration of system 100 inFIG. 23 does not specifically illustrate all of the elements from theillustration of system 100 in FIG. 1 so that particular aspects ofsystem 100 may be emphasized. However, system 100 of FIG. 23 includesall the elements of system 100 in FIG. 1.

FIG. 24 is a flowchart illustrating a method 2400 of updating risk inreal time using the system 100 of FIG. 1. TBAC module 110 may performmethod 2400. As provided by FIG. 24, TBAC module 110 may begin bystoring a hard token 115 g, subject token 115 k, resource token 115 c,network token 115 f, risk token 115 m, and session token 115 j, amongothers as appropriate, as a plurality of tokens in step 2410. TBACmodule 110 may continue by receiving a token 115 indicating a changeassociated with accessing a resource 145 in step 2420. In particularembodiments, the change may correspond with a change to a token 115 inthe plurality of tokens. TBAC module 110 may continue by accessing RRR2rules 2330 in step 2430. In step 2440, TBAC module 110 may determine ifthe change triggers a risk update. If the change does not trigger a riskupdate, TBAC module 110 may conclude.

If the change does trigger a risk update, TBAC module 110 may initiatethe risk updating process. To begin, TBAC module 110 may generate a newdataset token 115 l 2 that represents the plurality of tokens and thetoken 115 that indicates the change in step 2450. In particularembodiments, new dataset token 115 l 2 may indicate the state of system100 prior to the change and the change itself by representing theplurality of tokens and the token 115 that indicates the change. TBACmodule 110 may continue to communicate the new dataset token 115 l 2 tothe computed risk token provider 124 in step 2460. In response, computedrisk token provider 124 may include the change represented by the token115 in recomputing the risk represented by risk token 115 m and generatea recomputed risk token 115 m 2 that represents the recomputed risk. Instep 2470, TBAC module 110 may receive the recomputed risk token 115 m2.

In particular embodiments, TBAC module 110 may continue to step 2480 toupdate an access decision 900 based on the recomputed risk token 115 m2. TBAC module 110 may update the access decision 900 following theprocess discussed with respect to FIGS. 8-10. In step 2485, TBAC module110 may generate a decision token 115 n that represents the updatedaccess decision 900. TBAC module 110 may conclude at step 2490 bycommunicating the decision token 115 n to facilitate enforcement of theupdated access decision 900.

In particular embodiments, because system 100 may perform real-time riskupdates, system 100 may provide better security associated withaccessing a resource 145. Furthermore, because TBAC module 110 usestokens 115 to perform the real-time risk update, system 100 may providefaster and more efficient security.

FIGS. 25 and 26 illustrate the system 100 combining risk ratings. Ingeneral, during any session, a user 112 may perform severaltransactions. A particular transaction may have a risk associated withit that is different from the risk associated with another transaction.System 100 may determine if these risks are related and combine them togenerate a clearer picture of the overall risk posed by user 112. Thisprocess of determining related risks and combining them is referred toas combining risk ratings, which is discussed further with respect toFIGS. 25 and 26.

TBAC module 110 may store multiple risk tokens 115 m while monitoring asession. Each risk token 115 m may represent a risk associated with aparticular transaction. TBAC module 110 may determine which risks arerelated and combine the related risks into a composite risk token 115 m3. TBAC module 110 may then use the composite risk token 115 m 3 to makean access decision 900 following the process described with respect toFIGS. 8-10.

FIG. 25 illustrates the system 100 of FIG. 1 combining risk ratings. Asprovided by FIG. 25, TBAC module 110 may store a hard token 115 g, asubject token 115 k, a resource token 115 c, a first risk token 115 m 4,a second risk token 115 m 5, a third risk token 115 m 6, and a sessiontoken 115 j, among others as appropriate as a plurality of tokens. Inparticular embodiments, first risk token 115 m 4, second risk token 115m 5, and third risk token 115 m 6 may each represent a risk rating. Therisk rating may be a numerical value that indicates a risk associatedwith granting a particular user 112 access to a particular resource 145.Although this disclosure describes a particular number of risk tokens115 m stored in TBAC module 110, this disclosure contemplates any numberof risk tokens 115 m stored in TBAC module 110.

In particular embodiments, particular combinations of the risk ratingsrepresented by first risk token 115 m 4, second risk token 115 m 5,and/or third risk token 115 m 6 may provide more information about therisk associated with user 112 145. To determine these particularcombinations, TBAC module 110 may use the first risk token 115 m 4, thesecond risk token 115 m 5, and the third risk token 115 m 6 to accessrisk combination (CCC3) rules 2530 stored in memory 134. In particularembodiments, a particular CCC3 rule 2530 may specify which risk tokens115 m may be related, and therefore may be combined to yield informationabout risk. As an example and not by way of limitation, the particularCCC3 rule 2530 may specify that the second risk token 115 m 5 and thethird risk token 115 m 6 are related because they are associated withsub-resources 145 b of a composite resource 145, and that therefore, thecombination of the second risk token 115 m 5 and the third risk token115 m 6 may yield information about the risk associated with grantingaccess to another sub-resource 145 b of the composite resource 145.Although this disclosure describes risk tokens 115 m being related byresource 145, this disclosure contemplates risk tokens 115 m beingrelated in any suitable manner, including by user 112, network 120, anaction performed by user 112, or any combination thereof.

For example, a particular CCC3 rule 2530 may specify that first risktoken 115 m 4 and the second risk token 115 m 5 are related because theyare associated with similar actions performed by user 112, such as forexample, withdrawals from particular accounts of user 112, and thattherefore, the combination of the first risk token 115 m 4 and thesecond risk token 115 m 5 may yield information about the riskassociated with granting a withdrawal to user 112 for another account.

In particular embodiments, the particular CCC3 rule 2530 may furtherspecify how to combine risk ratings. As an example and not by way oflimitation, the particular CCC3 rule 2530 may specify that the riskrating represented by second risk token 115 m 5 and the risk ratingrepresented by third risk token 115 m 6 should be arithmeticallycombined by a weighted average to produce a composite risk rating. Inresponse, TBAC module 110 may produce a composite risk rating bycomputing the weighted average, indicated by the particular CCC3 rule2530, of the risk ratings represented by second risk token 115 m 5 andthird risk token 115 m 6. TBAC module 110 may then generate a compositerisk token 115 m 3 that represents the composite risk rating. Althoughthis disclosure describes combining risk ratings in a particular manner,this disclosure contemplates combining the risk ratings in any suitablemanner.

In particular embodiments, TBAC module 110 may use the composite risktoken 115 m 3 to facilitate the making of an access decision 900following the process discussed with respect to FIGS. 8-10. As anexample and not by way of limitation, if composite risk token 115 m 3was computed from risk tokens 115 m associated with differentsub-resources 145 b of a composite resource, TBAC module 110 may usecomposite risk token 115 m 3 to facilitate the making of an accessdecision 900 associated with access to another sub-resource 145 b of thecomposite resource 145. As another example and not by way of limitation,if composite risk token 115 m 3 was computed from risk tokens 115 massociated with a similar action, such as for example, a withdrawal fromdifferent accounts, TBAC module 110 may use composite risk token 115 m 3to facilitate the making of an access decision 900 associated with theaction, such as for example, a withdrawal from another account.

After making the access decision 900, TBAC module 110 may generate adecision token 115 n that represents the access decision 900. TBACmodule 110 may then communicate the decision token 115 n to facilitateenforcement of the access decision 900. In particular embodiments, TBACmodule 110 may communicate the decision token 115 n to the resourceprovider 140 to facilitate enforcement of the access decision 900.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 25, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 25 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 25 includes all the elements of system 100in FIG. 1.

FIG. 26 is a flowchart illustrating a method 2600 of combining riskratings using the system 100 of FIG. 1. TBAC module 110 may performmethod 2600. As provided by FIG. 26, TBAC module 110 may begin bystoring a plurality of risk tokens 115 m in step 2610. TBAC module 110may continue by accessing CCC3 rules 2530 in step 2620. In step 2630,TBAC module 110 may determine, based on CCC3 rules 2530, if there is aset of risk tokens 115 m in the plurality of risk tokens 115 m that arerelated according to the process described above with respect to FIG.25. If there is not a set of related risk tokens 115 m, TBAC module 110may conclude.

If there is a set of related risk tokens 115 m, TBAC module 110 maycombine risk ratings. To begin, TBAC module 110 may arithmeticallycombine the risk ratings represented by each risk token 115 m in the setof related risk tokens 115 m to produce a composite risk rating in step2640. As an example and not by way of limitation, TBAC module 110 maycompute a weighted average of the risk ratings. TBAC module 110 maycontinue to generate a composite risk token 115 m 2 representing thecomposite risk rating in step 2650. In step 2660, TBAC module 110 mayuse the composite risk token 115 m 2 to facilitate the making of anaccess decision 900 following the process discussed with respect toFIGS. 8-10. TBAC module 110 may continue in step 2670 by generating adecision token 115 n representing the access decision 900. TBAC module110 may conclude by communicating the decision token 115 n to facilitateenforcement of the access decision 900 in step 2680.

In particular embodiments, because system 100 may combine risk ratings,system 100 may make more robust access decisions 900. Furthermore,because TBAC module 110 uses tokens 115 to combine risk ratings, system100 may generate an overall risk for a user 112 quicker and moreefficiently.

FIGS. 27 and 28 illustrate the system 100 tagging transactions 2710. Ingeneral, even a very trusted user 112 using a very secure network 120and device 114 may sometimes perform a risky transaction 2710. In thosesituations, despite the security credentials of the user 112, it may bedesirable to flag the transaction 2710 and monitor it closely. Theprocess of determining when a transaction 2710 is risky and flagging andmonitoring the transaction 2710 is referred to as transaction tagging,which is discussed further with respect to FIGS. 27 and 28.

TBAC module 110 may be monitoring a session that facilitates access by auser 112 to a resource 145 when TBAC module 110 detects the user 112 isattempting to perform a transaction 2710 that is risky. In response,TBAC module 110 may generate a tag 2720 that is added to the transaction2710 and/or the tokens 115 associated with user 112. TBAC module 110 mayfurther generate a message 2740 that indicates the transaction should beprocessed in isolation.

FIG. 27 illustrates the system 100 of FIG. 1 tagging transactions 2710.As provided in FIG. 27, TBAC module 110 may store a hard token 115 g, asubject token 115 k, a resource token 115 c, a network token 115 f, asession token 115 j, and others as appropriate. Session token 115 j maybe associated with a session. In particular embodiments, the session mayfacilitate the processing of a transaction 2710. The transaction mayrepresent an action taken by a user 112 against a resource 145. As anexample and not by way of limitation, transaction 2710 may be a transferof money from a domestic bank account to a foreign bank account. Inparticular embodiments, user 112 may attempt to perform the transaction2710. As a result, TBAC module 110 may receive a transaction risk token115 r associated with the transaction 2710. Transaction risk token 115 rmay indicate a risk associated with processing the transaction 2710. Asan example and not by way of limitation, if transaction 2710 representsan attempt to transfer money from a domestic bank account to a foreignbank account, transaction risk token 115 r may indicate that transaction2710 is a high risk transaction because of the potential for moneylaundering or tax evasion.

TBAC module 110 may use transaction 2710 and transaction risk token 115r to access transaction tagging (TTT4) rules 2730 stored in memory 134.In particular embodiments, TTT4 rules 2730 may specify when atransaction 2710 may be classified as a high risk transaction based ontransaction risk token 115 r. TBAC module 110 may use TTT4 rules 2730 todetermine if a particular transaction 2710 is a high risk transaction.If the particular transaction 2710 is a high risk transaction, TBACmodule 110 may initiate the transaction tagging process.

In particular embodiments, TBAC module 110 may initiate the transactiontagging process by generating a tag 2720. Tag 2720 may be added totransaction 2710 to indicate that the transaction 2710 is a high risktransaction. As an example and not by way of limitation, tag 2720 may bea ciphered value added to the syntax of the transaction 2710. Tag 2720may also be added to a subject token 115 k associated with user 112 or aresource token 115 c associated with resource 145. In particularembodiments, tag 2720 may facilitate tracing of the transaction 2710. Asan example and not by way of limitation, after tag 2720 has been addedto transaction 2710, tag 2720 may act as a unique flag that identifiestransaction 2710 wherever it may be processed. By following where tag2720 appears, transaction 2710 may be traced at each step of itsprocessing. By tracing the transaction 2710, it may be possible toremember and even recreate the steps taken to process transaction 2710.In particular embodiments, system 100 may further log the transaction2710 in a database as it is being traced during processing.

In particular embodiments, if transaction 2710 is tagged as a high risktransaction, TBAC module 110 may generate a message 2740 that indicatesthat transaction 2710 should be processed in isolation. By isolatingtransaction 2710 as it is processed, it may be easier to tracetransaction 2710 as it is processed. Message 2740 may indicate aprocessing unit 2750 that is isolated and capable of processingtransaction 2710. As an example and not by way of limitation, message2740 may indicate the location of an isolated server to whichtransaction 2710 may be sent for isolated processing. In particularembodiments, TBAC module 110 may communicate message 2740 to resourceprovider 140 to facilitate the transfer of transaction 2710 to anisolated processing unit 2750.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 27, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 27 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 27 includes all the elements of system 100in FIG. 1.

FIG. 28 is a flowchart illustrating a method 2800 of taggingtransactions 2710 using the system 100 of FIG. 1. TBAC module 110 mayperform method 2800. As provided by FIG. 28, TBAC module 110 may beginby storing a session token 115 j associated with a session thatfacilitates the processing of transactions 2710 in step 2810. In step2820, TBAC module 110 may receive a transaction 2710 associated with thesession. TBAC module 110 may continue by receiving a transaction risktoken 115 r associated with the transaction 2710 in step 2830. TBACmodule 110 may continue by accessing TTT4 rules 2730 in step 2840.

In step 2850, TBAC module 110 may determine, based on TTT4 rules 2730,if the transaction 2710 is a high risk transaction. If the transactionis not a high risk transaction, TBAC module 110 may conclude.

If the transaction 2710 is a high risk transaction, TBAC module 110 mayinitiate the transaction tagging process. To begin, TBAC module 110 maygenerate a tag 2720 for the transaction 2710 in step 2860. TBAC module110 may continue by adding the tag 2720 to the transaction 2710 in step2870. In particular embodiments, the tag 2720 may facilitate the tracingof the transaction 2710 as it is processed. In step 2880 TBAC module 110may generate a message 2740 indicating the transaction 2710 should beprocessed in isolation. TBAC module 110 may conclude by communicatingthe message 2740 to facilitate the isolated processing of thetransaction 270 in step 2890.

In particular embodiments, because system 100 may tag transactions 2710,system 100 may provide a more robust security system. Furthermore,because TBAC module 110 may use tokens 115 to tag transactions 2710,system 100 may securely process transactions 2710 quicker and moreefficiently.

FIGS. 29 and 30 illustrate the system 100 performing context caching. Ingeneral, a token provider may retrieve attributes 425 from acorresponding repository 420 a-d and cache those attributes 425 in anattribute cache 2910. If the cache 2910 fills up, subsequently retrievedattributes 425 will need to replace old attributes 425 o in the cache.The process of determining which attributes 425 are old and replacingthe old attributes 425 o with new attributes 425 n is referred to ascontext caching, which is discussed further with respect to FIGS. 29 and30.

Computed risk token provider 124 may contain an attribute cache 2910.Each time the computed risk token provider 124 computes a risk token 115m, it may retrieve attributes 425 from the risk repository 420 d, andcache those attributes 425 in the attribute cache 2910. To avoid fillingup the attribute cache 2910, the computed risk token provider 124 maydetermine, based on a received dataset token 115 l, which cachedattributes 425 are old and remove them from the attribute cache 2910.Although this disclosure describes context caching using the computedrisk token provider 124, this disclosure contemplates context cachingtaking place in any suitable token provider.

FIG. 29 illustrates the system 100 of FIG. 1 performing context caching.As provided by FIG. 29, TBAC module 110 may be requesting computed risktoken provider 124 to compute or recompute a risk token 115 m. As anexample and not by way of limitation, TBAC module 110 may be performingthe real-time risk updating function discussed with respect to FIGS. 23and 24. Although this disclosure describes TBAC module 110 performing aspecific function involving the computed risk token provider 124, thisdisclosure contemplates TBAC module 110 performing any suitable functionthat involves computed risk token provider 124. As discussed withrespect to FIGS. 23 and 24, TBAC module 110 may receive a token 115 thatindicates a change that occurred during a session. TBAC module 110 maygenerate a new dataset token 115 l 2 and communicate the new datasettoken 115 l 2 to the computed risk token provider 124. The new datasettoken 115 l 2 may indicate a risk token 115 m should be computed orrecomputed.

In particular embodiments, computed risk token provider 124 may includean attribute cache 2910. Attribute cache 2910 may cache attributes 425used in previous computations of a risk token 115 m. Cached attributes2940 c may be used during subsequent computations of risk token 115 m sothat computed risk token provider 124 does not have to retrieve thecached attributes 2940 c from a risk repository 420 d. When computedrisk token provider 124 computes a risk token 115 m, computed risk tokenprovider 124 may update attribute cache 2910 by removing old attributes425 o from and by adding new attributes 425 n to attribute cache 2910.

To determine the old attributes 425 o in attribute cache 2910, computedrisk token provider 124 may examine a token 115 received from TBACmodule 110. As an example and not by way of limitation, computed risktoken provider 124 may receive a new dataset token 115 l 2 from TBACmodule 110. New dataset token 115 l 2 may indicate a set of attributes2940 a required to compute or recompute a risk token 115 m. New datasettoken 115 l 2 may further include instructions on how to compute orrecompute risk token 115 m that may facilitate the updating of attributecache 2910. Based on the indicated set of attributes 2940 a and theinstructions, computed risk token provider 124 may determine whichcached attributes 2940 c are not used in computing or recomputing therisk tokens 115 m. Computed risk token provider 124 may then mark theseattributes 425 as old. In particular embodiments, computed risk tokenprovider 124 may consider old attributes 425 o as forming an obsoleteportion of the attribute cache 2910 and may remove the old attributes425 o from the attribute cache 210. In this manner, computed risk tokenprovider 124 may ensure that attribute cache 2910 contains onlyattributes 425 that are in the set of attributes 2940 a required tocompute or recompute risk token 115 m.

Computed risk token provider 124 may add new attributes 425 n byretrieving them from risk repository 420 d and adding them to attributecache 2910. Computed risk token provider 124 may determine whichattributes 425 to retrieve from risk repository 420 d by examining theset of attributes 2940 a required to compute or recompute risk token 115m and the set of attributes 2940 b cached within attribute cache 2910after the old attributes 425 o have been removed. By examining the setof attributes 2940 a and the set of attributes 2940 b, computed risktoken provider 124 may determine that attributes 425 that are in the setof attributes 2940 a but not in the set of attributes 2940 b. Thesedetermined attributes 425 are the new attributes 425 n.

Computed risk token provider 124 may then retrieve the new attributes425 n from risk repository 420 d and add the new attributes 425 n toattribute cache 2910. In particular embodiments, computed risk tokenprovider 124 may then use the attributes 425 cached within attributecache 2910 to compute or recompute risk token 115 m. As an example andnot by way of limitation, computed risk token provider 124 may use theattributes 425 cached within attribute cache 2910 to generate arecomputed risk token 115 m 2 and communicate the recomputed risk token115 m 2 to TBAC module 110.

Although this disclosure describes TBAC module 110 and computed risktoken provider 124 performing certain actions with respect to FIG. 29,this disclosure contemplates the processor 132 and the memory 134 of theTBAC module 110 and the processor 132 of the computed risk tokenprovider 124 performing these actions. The illustration of system 100 inFIG. 29 does not specifically illustrate all of the elements from theillustration of system 100 in FIG. 1 so that particular aspects ofsystem 100 may be emphasized. However, system 100 of FIG. 29 includesall the elements of system 100 in FIG. 1.

FIG. 30 is a flowchart illustrating a method 3000 of performing contextcaching using the system 100 of FIG. 1. In particular embodiments,computed risk token provider 124 may perform TBAC module 110. Asprovided in FIG. 30, computed risk token provider 124 may begin byreceiving a dataset token 115 l indicating a change that occurred duringa session in step 3010. Computed risk token provider 124 may continue bydetermining a set of attributes 2940 a required to recompute a risktoken 115 m in step 3020. In step 3030, computed risk token provider 124may determine a set of cached attributes 2940 c in an attribute cache2910.

To free up space in the attribute cache 2910, the old attributes 425 oin the set of cached attributes 2940 c may be removed. To do so,computed risk token provider 124 may continue by examining a cachedattribute 425 in the set of cached attributes 2940 c in step 3040. Instep 3050, computed risk token provider 124 may determine if the cachedattribute 425 is in the set of attributes 2940 a required to recomputethe risk token 115 m. If the cached attribute 425 is in the set ofattributes 2940 a, then computed risk token provider 124 may leave thecached attribute 425 in the attribute cache 2910. If the cachedattribute 425 is not in the set of attributes 2940 a, computed risktoken provider 124 may remove the cached attribute 425 from theattribute cache 2910 in step 3060.

Computed risk token provider 124 may then continue to step 3070 todetermine if all cached attributes 425 in the set of cached attributes2940 c have been examined. If not, computed risk token provider 124 mayreturn to step 3040 to examine another cached attribute 425. If allcached attributes 425 have been examined, computed risk token provider124 may be sure that attribute cache 2910 contains only the set ofattributes 2940 b.

Before recomputing a risk token 115 m, computed risk token provider 124may retrieve the new attributes 425 n from the risk repository 420 d. Toaccomplish this, computed risk token provider 124 may determine the newattributes 425 n by examining the set of attributes 2940 a required torecompute the risk token 115 m and the set of cached attributes 2940 bin step 3075. The new attributes 425 n will be the attributes in the setof attributes 2940 a but not in the set of cached attributes 2940 b.Computed risk token provider 124 may continue to step 3080 by retrievingthe new attributes 425 n. In step 3090, computed risk token provider 124may cache the retrieved attributes 425 n in the attribute cache 2910.Computed risk token provider 124 may then conclude by recomputing therisk token 115 m using cached attributes 425 in the attribute cache 2910in step 3095.

In particular embodiments, because system 100 may perform contextcaching, system 100 may provide more efficient caching of attributes425. Furthermore, because system 100 uses tokens 115 to perform contextcaching, system 100 may make faster determinations regarding whichattributes 425 to remove from the attribute cache 2910.

FIGS. 31 and 32 illustrate the system 100 recycling a virtual machine3110 b. In general, user 112 may consume a resource 145 through avirtual machine 3110 b provisioned to device 114. Over time, virtualmachine 3110 b may need to be recycled, sometimes frequently. System 100may determine when a particular virtual machine 3110 b needs to berecycled and recycle the virtual machine 3110 b accordingly. Thisrecycling process is discussed further with respect to FIGS. 31 and 32.

TBAC module 110 may monitor virtual machine 3110 b through a timestamp3120 and a time threshold 3125. When TBAC module 110 determines, basedon the timestamp 3120 and the time threshold 3125, that the virtualmachine 3110 b is stale, TBAC module 110 may generate a recycle token tofacilitate the recycling of the virtual machine 3110 b.

FIG. 31 illustrates the system 100 of FIG. 1 performing virtual machinerecycling. As provided by FIG. 31, device 114 may have been provisionedwith container 210. Container 210 may include a virtual machine 3110 bexecuting a process 3140. Virtual machine 3110 b may be executingprocess 3140 on device 114. TBAC module 110 may store a hard token 115g, a compliance token 115 h, a VM token 115 i, a subject token 115 k, aresource token 115 c, a risk token 115 m, and a session token 115 j,among others as appropriate. The VM token 115 i may representinformation associated with virtual machine 3110 b. In particularembodiments, VM token 115 i may include a timestamp 3120 associated withvirtual machine 3110 b and a time threshold 3125 associated with virtualmachine 3110 b. Timestamp 3120 may indicate the time at which virtualmachine 3110 b was established. Time threshold 3125 may indicate anamount of time after which virtual machine 3110 b should be recycled.TBAC module 110 may use timestamp 3120 and time threshold 3125 todetermine a time after which the virtual machine 3110 b should berecycled. As an example and not by way of limitation, TBAC module 110may add the time threshold 3125 to the timestamp 3120 to determine thattime.

In particular embodiments, recycling virtual machine 3110 b may includereplacing virtual machine 3110 b with a secured copy 3110 a of virtualmachine 3110 b. Secured copy 3110 a may have been generated and storedwhen virtual machine 3110 b was established. Secured copy 3110 a may bestored within memory 134. Although this disclosure describes securedcopy 3110 a being stored in TBAC module 110, this disclosurecontemplates secured copy 3110 a being stored in any suitable component.TBAC module 110 may receive a token 115 that indicates a changeassociated with granting access to a resource 145. As an example and notby way of limitation, token 115 may indicate user 112 is requestingaccess to resource 145. Prior to granting access to resource 145, TBACmodule 110 may determine if device 114 has been provisioned a validvirtual machine 3110 b. If the virtual machine 3110 b is valid, accessto the resource 145 may be granted. As another example and not by way oflimitation, token 115 may be a hard token 115 g associated with device114 indicating the virtual machine 3110 b may be invalid. Although thisdisclosure describes token 115 indicating particular changes, thisdisclosure contemplates token 115 indicating any suitable change. Thischange could include any suitable communication, process, token, etc inthe system 100. In response to receiving token 115, TBAC module 110 maydetermine if the virtual machine 3110 b is invalid.

To make the determination whether the virtual machine 3110 b is valid,TBAC module 110 may use token 115 and VM token 115 i to access VMrecycling (RRR1) rules 3130. In particular embodiments, TBAC module 110may apply RRR1 rules 3130 to determine if virtual machine 3110 b isvalid based on timestamp 3120 and time threshold 3125. As an example andnot by way of limitation, RRR1 rules 3130 may specify that if thecurrent time exceeds the time threshold 3125 added to timestamp 3120,then TBAC module 110 may determine that virtual machine 3110 b isinvalid. Although this disclosure describes TBAC module 110 determiningthe validity of VM 3110 b in a particular manner, this disclosurecontemplates TBAC module 110 determining the validity of virtual machine3110 b in any suitable manner. For example, TBAC module 110 may examinethe status of a flag associated with virtual machine 3110 b. The flagmay be turned on when virtual machine 3110 b becomes invalid. If TBACmodule detects that the flag is on, TBAC module 110 may initiate therecycling process.

In response to a determination that the virtual machine 3110 b isinvalid, TBAC module 110 may initiate the virtual machine recyclingprocess by generating a recycle token 115 s. In particular embodiments,recycle token 115 s may include instructions to recycle virtual machine3110 b and information associated with the secured copy 3110 a ofvirtual machine 3110 b. TBAC module 110 may communicate recycle token115 s to facilitate the recycling of virtual machine 3110 b. Afterrecycle token 115 s has been communicated, virtual machine 3110 b maybegin recycling. In particular embodiments, virtual machine 3110 b maybe executing process 3140 when recycling is initiated. TBAC module 110may wait for virtual machine 3110 b to finish executing process 3140before recycling. In some embodiments, rather than wait for process 3140to finish, TBAC module 110 may facilitate the secure storage of a copyof the process 3140. After the virtual machine 3110 b finishesrecycling, TBAC module 110 may facilitate the recovery of the securedcopy of the process 3140, and the recycled virtual machine 3110 b maycomplete the process 3140.

To recycle virtual machine 3110 b, virtual machine 3110 b may bereplaced with the secured copy 3110 a of virtual machine 3110 b. TBACmodule 110 may send information about the location of the secured copy3110 a of virtual machine 3110 b using recycle token 115 s. Device 114may download the secured copy 3110 a of virtual machine 3110 b from thatlocation. After virtual machine 3110 b has been recycled, timestamp 3120and time threshold 3125 may be updated to reflect the recycling.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 31, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 31 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 31 includes all the elements of system 100in FIG. 1.

FIG. 32 is a flowchart illustrating a method 3200 of performing virtualmachine recycling. TBAC module 110 may perform method 3200. As providedby FIG. 32, TBAC module 110 may begin by storing a hard token 115 g,compliance token 115 h, VM token 115 i, subject token 115 k, resourcetoken 115 c, risk token 115 m, and session token 115 j, among others asappropriate in step 3210. In particular embodiments, VM token 115 i maybe associated with a virtual machine 3110 b. Virtual machine 3110 b maybe associated with a timestamp 3120 and a time threshold 3125. TBACmodule 110 may continue by storing a secured copy 3110 a of virtualmachine 3110 b in step 3220. At step 3230, TBAC module 110 may receive atoken 115 indicating a change associated with granting access to aresource 145. As an example and not by way of limitation, token 115 mayindicate that a user 112 is attempting to access resource 145.

In response, TBAC module 110 may access VM recycling (RRR1) rules 3130in step 3240. In step 3250, TBAC module 110 may determine, based on RRR1rules 3130, if the virtual machine 3110 b is still valid. If the virtualmachine 3110 b is still valid, TBAC module 110 may conclude. If thevirtual machine 3110 b is not valid, TBAC module 110 may generate arecycle token 115 s in step 3260. In particular embodiments, recycletoken 115 s may include the location of the secured copy 3110 a of thevirtual machine 3110 b. TBAC module 110 may also access the secured copy3110 a of the virtual machine 3110 b in step 3270. TBAC module 110 mayconclude by communicating the recycle token 115 s to facilitate thereplacing of the virtual machine 3110 b with the secured copy 3110 a ofthe virtual machine 3110 b in step 3280.

In particular embodiments, because system 100 may facilitate therecycling of virtual machine 3110 b, system 100 may provide a faster andmore seamless user experience to user 112. Furthermore, because TBACmodule 110 uses tokens 115 to monitor virtual machine 3110 b, system 100may determine more quickly when a virtual machine 3110 b needs to berecycled.

FIGS. 33 and 34 illustrate the system 100 performing token termination.In general, a user 112 may perform some action that will block access toa resource 145. For example, accessing a resource 145 that containsnumerous security holes may block access to another resource 145 that issensitive to risk. The process of determining whether access to aresource 145 should be blocked and enforcing that determination is knownas token termination, which is discussed further with respect to FIGS.33 and 34.

TBAC module 110 may track which resources 145 are non risk sensitiveresources 145 a and which are risk sensitive resources 145 b. If a user112 requests access to a risk sensitive resource 145 b while the user112 is exposing security risks, TBAC module 110 may perform tokentermination to block user 112 from accessing the risk sensitive resource145 b until the security risks are remedied.

FIG. 33 illustrates the system 100 of FIG. 1 performing tokentermination. As provided by FIG. 33, TBAC module 110 may store a hardtoken 115 g, subject token 115 k, first resource token 115 c 1, networktoken 115 f, risk token 115 m, and session token 115 j, among others asappropriate. First resource token 115 c 1 may be associated with a user112 accessing a non-risk sensitive resource 145 a. In particularembodiments, TBAC module 110 may receive a token 115 indicating a changeassociated with accessing a resource 145. As an example and not by wayof limitation, the token 115 may be a second resource token 115 c 2indicating that the user 112 is requesting access to a risk sensitiveresource 145 b. In particular embodiments, simultaneous access tonon-risk sensitive resource 145 a and risk sensitive resource 145 b maynot be allowed for security purposes. As an example and not by way oflimitation, non-risk sensitive resource 145 a may be a chat session andrisk sensitive resource 145 b may be a personal banking application. Thechat session may contain security holes that leave the personal bankingapplication vulnerable to potential hacks and malware. Therefore, it maynot be desirable to grant simultaneous access to the chat session andthe personal banking application.

When TBAC module 110 receives second resource token 115 c 2 indicatingthat a user 112 is requesting access to the risk sensitive resource 145b, TBAC module 110 may access token termination (TTT2) rules 3330 storedin memory 134 to determine if access to the non-risk sensitive resource145 a should be terminated prior to granting access to the risksensitive resource 145 b. In particular embodiments, a particular TTT2rule 3330 may specify that accessing a non-risk sensitive resource 145 arepresented by first resource token 115 c 1 may pose a security risk ifaccess to risk sensitive resource 145 b was granted simultaneously. Inthis case, TBAC module 110 may determine, based on TTT2 Rules 3330, thataccess to the non-risk sensitive resource 145 a should be terminatedbefore granting access to risk sensitive resource 145 b represented bysecond resource token 115 c 2.

TBAC module 110 may generate a decision token 115 n representing thedetermination to terminate access to the non-risk sensitive resource 145a. TBAC module 110 may communicate the decision token 115 n tofacilitate the termination of access to the non-risk sensitive resource.In particular embodiments, after access to the non-risk sensitiveresource 145 a has been terminated, TBAC module 110 may receive aresource token 115 c indicating that access to the non-risk sensitiveresource has been terminated. In response, TBAC module 110 may generatea second decision token 115 n 2 indicating that access to the risksensitive resource 145 b should be granted. In particular embodiments,TBAC module 110 may also terminate the first resource token 115 c 1 inresponse to receiving the resource token 115 c. TBAC module 110 maycommunicate the second decision token to facilitate the granting ofaccess to the risk sensitive resource 145 b. In particular embodiments,the second decision token 115 n 2 may be communicated to resourceprovider 140, which may grant access to the risk sensitive resource 145b after receiving the second decision token 115 n 2.

In particular embodiments, user 112 may be presented with the option toterminate access to the non-risk sensitive resource 145 a. If the user112 chooses not to terminate access to the non-risk sensitive resource145 a, the user 112 may be blocked from accessing the risk sensitiveresource 145 b.

In particular embodiments, user 112 may expose security risks throughother means than by accessing a non-risk sensitive resource 145 a. Forexample, user 112 may attach a peripheral device, such as a USB drive,to device 114. The peripheral device may present security risks. In thatcase, TBAC module 110 may receive a hard token 115 g indicating thatdevice 114 has a peripheral device attached. When user 112 requestsaccess to risk sensitive resource 145 b, TBAC module 110 may performtoken termination to block access to the risk sensitive resource 145 buntil user 112 removes the peripheral device. In particular embodiments,user 112 may attach the peripheral device while user 112 is accessingthe risk sensitive resource 145 b. In that case, TBAC module 110 maydetect the hard token 115 g and in response, perform token terminationto terminate access to the risk sensitive resource 145 b until user 112removes the peripheral device. After user 112 removes the peripheraldevice, TBAC module 110 may receive a second hard token 115 g indicatingthat the peripheral device has been removed. TBAC module 110 may thengenerate a decision token 115 n to facilitate access to the risksensitive resource 145 b.

Although this disclosure describes TBAC module 110 performing certainactions with respect to FIG. 33, this disclosure contemplates theprocessor 132 and the memory 134 of the TBAC module 110 performing theseactions. The illustration of system 100 in FIG. 33 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 33 includes all the elements of system 100in FIG. 1. Although this disclosure describes particular user actionscreating a security hole, there could be any number of different waysthat a user's action, a resource parameter, a network condition, or anyother characteristic of system 100 could create a security hole thatneeds to be addressed before a user may be granted access to a risksensitive resource. This disclosure contemplates any of those potentialsecurity holes.

FIG. 34 is a flowchart illustrating a method 3400 of performing tokentermination. TBAC module 110 may perform the method 3400. As provided byFIG. 34, TBAC module 110 may begin by storing a hard token 115 b,subject token 115 k, first resource token 115 c 1, risk token 115 m,network token 115 f, and session token 115 j, among others asappropriate in step 3410. The first resource token 115 c 1 may beassociated with a user 112 accessing a non-risk sensitive resource 145a. TBAC module 110 may continue by receiving a second resource token 115c 2 indicating the user 112 is requesting access to a risk sensitiveresource 145 b in step 3420. In response, TBAC module 110 may accessTTT2 rules 3330 in step 3430. In step 3440, TBAC module 110 maydetermine, based on TTT2 rules 3330, if access to the non-risk sensitiveresource 145 a should be terminated before granting access to the risksensitive resource 145 b. If access to the non-risk sensitive resourceneed not be terminated, TBAC module 110 may continue to step 3450 togenerate a decision token 115 n representing a decision to grant accessto the risk sensitive resource 145 b. TBAC module 110 may thencommunicate the decision token 115 n to facilitate enforcement of thatdecision in step 3451.

If access to the non-risk sensitive resource should to be terminated,then TBAC module 110 may generate a decision token 115 n representingthe decision to terminate access to the non-risk sensitive resource 145a in step 3455. TBAC module 110 may then communicate the decision token115 n to facilitate the termination of access to the non-risk sensitiveresource 145 a in step 3456. After access to the non-risk sensitiveresource 145 a has been terminated, TBAC module 110 may receive aresource token 115 c indicating that access has been terminated in step3458. In response to receiving the resource token 115 c, TBAC module 110may generate a second decision token 115 n 2 indicating access to therisk sensitive resource 145 b should be granted in step 3462. TBACmodule 110 may then communicate the second decision token 115 n 2 tofacilitate access to the risk sensitive resource 145 b in step 3466.

In particular embodiments, because system 100 may perform tokentermination, system 100 may provide a more robust security system thatprovides for blocking access based on the risk sensitivity of theresources. Furthermore, because TBAC module 110 may terminate tokens115, system 100 may provide a faster and more efficient security system.

FIGS. 35 and 36 illustrate the system 100 performing tamper detection.In general, mechanical components of system 100 such as the device 114,network 120, or resource 145 may be the subject of attacks by viruses,malware, or hackers. When attacks happen, the tokens 115 associated withthose mechanical components may be affected. System 100 may detect whenthose components may be attacked by examining the tokens 115 associatedwith those components. The process of detecting when those componentshave been affected is known as tamper detection, which is discussedfurther with respect to FIGS. 35 and 36.

TBAC module 110 may store tokens 115 associated with the mechanicalcomponents of system 100 as well as secured copies of those tokens. Anattack on a component may affect the token 115 associated with thatcomponent. When a token 115 associated with a component changes, TBACmodule 110 may compare the token 115 with its corresponding secured copyto determine if the component has been attacked.

FIG. 35 illustrates the system 100 of FIG. 1 detecting tampering. Asprovided in FIG. 35, TBAC module 110 may store a hard token 115 g, anetwork toke 115 f, a subject token 115 k, a resource token 115 c, arisk token 115 m, and a session token 115 j. Hard token 115 g may beassociated with a device 114. Network token 115 f may be associated withnetwork 120 and resource token 115 c may be associated with a resource145. Device 114 may be consuming resource 145 over network 120.Furthermore, hard token 115 g, network token 115 f, and resource token115 c may have corresponding secured copies 115 gs, 115 fs, and 115 csstored in memory 134. The secured copies 115 gs, 115 fs, and 115 cs mayhave been generated when the corresponding tokens 115 g, 115 f, and 115c were first generated. Although this disclosure describes securedcopies 115 gs, 115 fs, and 115 cs stored in a particular component ofsystem 100, this disclosure contemplates secured copies 115 gs, 115 fs,and 115 cs stored in any suitable component of system 100.

In particular embodiments, TBAC module 110 may receive a suspect token115 t that indicates a risk that device 114, network 120, or resource145 may have been tampered. Tampering may include any security breachesby viruses, malware, or hackers. As an example and not by way oflimitation, suspect token 115 t may indicate that device 114 has beeninfected with a virus. As another example and not by way of limitation,suspect token 115 t may indicate that network 120 is beginning todistribute malware. As yet another example and not by way of limitation,suspect token 115 t may indicate that resource 145 is being targeted ina denial of service attack. Tampering of the device 114, network 120, orresource 145 may result in a change in any of the hard token 115 g,network token 115 f, or resource token 115 c.

TBAC module 110 may detect changes within hard token 115 g, networktoken 115 f, or resource token 115 c that resulted from tampering. Todetect these changes, TBAC module 110 may use suspect token 115 t toaccess token tampering (TTT3) rules 3530 stored in memory 134. Inparticular embodiments, TTT3 rules 3530 may specify which tokens 115 ofthe hard token 115 g, network token 115 f, and resource token 115 c mayhave been affect as a result of the risk indicated in suspect token 115t. TBAC module 110 may then compare the tokens 115 that may have beenchanged as a result of tampering with their corresponding securedcopies. As an example and not by way of limitation, suspect token 115 tmay indicate a risk that malware may be causing a denial of serviceattack. In that situation, TTT3 rules 3530 may specify that networktoken 115 f and resource token 115 c should be compared with theircorresponding secured copies 115 fs and 115 cs. If any differences thatresulted from tampering are detected during the comparisons, TBAC module110 may indicate that the token 115 containing that difference has beencompromised. As an example and not by way of limitation, if network 120is distributing malware but resource 145 is not experiencing a denial ofservice attack, then the comparisons may indicate that network token 115f is different from its corresponding secured copy 115 fs and that thatdifference may have resulted from tampering (e.g., malware infection).

In particular embodiments, in response to the determination that a token115 has been compromised as a result of tampering, TBAC module 110 mayreplace that token 115 with its corresponding secured copy. As anexample and not by way of limitation, if network token 115 f has beencompromised as a result of tampering, TBAC module 110 may replacenetwork token 115 f with its corresponding secured copy 115 fs. Incertain embodiments, TBAC module 110 may replace the tampered token 115by terminating the tampered token 115 and generating a new token 115that matches the corresponding secured copy of the tampered token 115.

In particular embodiments, TBAC module 110 may perform additional checksto determine if a token 115 has been tampered. As an example and not byway of limitation, TBAC module 110 may detect that a Kerberos token 115associated with device 114 may have been tampered. In addition tocomparing the Kerberos token 115 with its corresponding secured copy,TBAC module 110 may verify the integrity of a ticket associated with theKerberos token 115. If the ticket is valid, TBAC module 110 may treatthe valid ticket as an indication that the Kerberos token 115 has notbeen tampered. If the ticket is invalid, TBAC module 110 may treat theinvalid ticket as an indication that the Kerberos token 115 has beentampered.

In particular embodiments, TBAC module 110 may generate a revalidationtoken 115 u to indicate which tokens 115 have been compromised as aresult of tampering. As an example and not by way of limitation, ifnetwork token 115 f has been compromised because network 120 isdistributing malware, then revalidation token 115 u may indicate thatnetwork token 115 f has been compromised. In certain embodiments, TBACmodule 110 may communicate revalidation token 115 u to a token providercorresponding to the token 115 that was compromised as a result oftampering. As an example and not by way of limitation, TBAC module 110may communicate revalidation token 115 u to network token provider 122if network token 115 f was compromised as a result of tampering. Inparticular embodiments, revalidation token 115 u may be communicated tocomputed risk token provider 124 to compute or recomputed a risk token115 m. As an example and not by way of limitation, if a network token115 f is discovered to have been tampered, the risk associated withgranting access to a resource 145 over network 120 may increase.Computed risk token provider 124 may generate a risk token 115 mrepresenting that increase in risk. The risk token 115 m may then beused to facilitate the making of an access decision 900 following theprocess described with respect to FIGS. 8-10. Although this disclosuredescribes TBAC module 110 performing certain actions with respect toFIG. 35, this disclosure contemplates the processor 132 and the memory134 of the TBAC module 110 performing these actions. The illustration ofsystem 100 in FIG. 35 does not specifically illustrate all of theelements from the illustration of system 100 in FIG. 1 so thatparticular aspects of system 100 may be emphasized. However, system 100of FIG. 35 includes all the elements of system 100 in FIG. 1.

FIG. 36 is a flowchart illustrating a method 3600 of detecting tamperingusing the system 100 of FIG. 1. TBAC module 110 may perform method 3600.As provided in FIG. 36, TBAC module 110 may begin by storing a hardtoken 115 g, subject token 115 k, resource token 115 c, risk token 115m, network token 115 f, and session token 115 j in step 3610. The hardtoken 115 g may be associated with a device 114. The network token 115 fmay be associated with network 120. The resource token 115 c may beassociated with a resource 145. TBAC module 110 may receive a suspecttoken 115 t indicating a risk that device 114, network 120, or resource145 has been tampered in step 3620. In response to receiving the suspecttoken 115 t, TBAC module 110 may access TTT3 rules 3530 in step 3630.TTT3 rules 3530 may specify which tokens 115 should be examined forpotential tampering.

TBAC module 110 may then compare the hard token 115 g, network token 115f, and/or resource token 115 c with secured copies of the hard token 115gs, network token 115 fs, and resource token 115 cs in step 3640. Instep 3650, TBAC module 110 may determine if any of the hard token 115 g,network token 115 f, and/or resource token 115 c differ from itscorresponding secured copy 115 gs, 115 fs, or 115 cs. If none of thetokens 115 differ from its corresponding secured copy, TBAC module 110may conclude. However, if any of the tokens differ from itscorresponding secured copy, TBAC module 110 may proceed to step 3660 togenerate a revalidation token 115 u representing the tokens 115 thatdiffer from their corresponding secured copies. TBAC module 110 may thenconclude by communicating the revalidation token 115 u to theappropriate token providers in step 3670. Communicating the revalidationtoken 115 u may facilitate the replacement of a tampered token 115 withits corresponding secured copy.

In particular embodiments, because system 100 may detect tampering,system 100 may provide a more responsive and robust security system.Furthermore, because TBAC module 110 uses tokens to monitor components,system 100 may respond faster to any attacks on those components.

FIGS. 37 and 38 are high level architectural diagrams of a system 3700that does not use tokens 115 and of a system 3800 that does use tokens115 respectively. System 3700 may include an Entitlement Engine thathandles directly attributes 425 associated with Interfaces A-E. Toaugment system 3700 to use tokens 115, system 3800 may include anadditional token layer that interacts with Interfaces A-E. The variousinterfaces and token layer will be discussed further with respect toFIGS. 37 and 38.

FIG. 37 is a high level architectural diagram of a system 3700 that doesnot use tokens 115 to control access to a resource 145. As provided inFIG. 37, the Entitlement Engine may make access decisions 900 bydirectly using attributes 425 associated with Interfaces A-E. InterfaceA may include attributes 425 associated with authentication (AuthN) suchas for example, device 114, service, and user 112 authentication.Interface A may further include attributes 425 associated with STS andFederation and XML Firewall Appliance. Interface B may includeattributes 425 associated with network 120 such as for example,firewalls, intrusion, and integrity. Interface C may include attributes425 associated with risk (similar to the attributes 425 represented byrisk token 115 m). Interface D may include attributes 425 associatedwith data (similar to attributes 425 associated with data token provider129). Interface E may include attributes 425 associated with accesscontrol management (akin to attributes 425 associated with privilegetokens 115 p) such as for example, attributes 425 associated withSecurity Event and Incident Management (SEIM), Governance Risk &Compliance (GRC), and auditing.

FIG. 38 is a high level architectural diagram of a system 3800 that usestoken 115 to control access to a resource 145. As provided by FIG. 38,system 3800 may add a layer that processes tokens 115 around theEntitlement Engine, which may now make access decisions 900 by usingtokens 115 associated with Interfaces A-E. For example, Interface A mayinclude tokens 115 associated with user 112 authentication, such as forexample, biometric tokens, RFID tokens, Rivest, Shamir, Adelman (RSA)tokens, SAML tokens, and XML tokens. These tokens may be similar tosubject tokens 115 k. Interface B may include tokens 115 associated withnetwork 120, such as for example, Posture/Priority tokens, Packet/Pathtokens, TPM tokens, TNC tokens, Transaction Security System (TSS)tokens, Integrity tokens, and Access Control List (ACL) tokens. Thesetokens 115 may be similar to network tokens 115 f. Interface C mayinclude tokens 115 associated with risk, such as for example, risktokens 115 m. Interface D may include tokens 115 associated with data ofuser 112, such as for example, data tokens 115 e. Interface D mayfurther include xRML tokens and Privilege/Permission tokens. Interface Emay include tokens 115 associated with access control management such asfor example, Event tokens, Audit tokens, and T-BAC module 110 tokens.

In particular embodiments, system 3800 may provide several advantagesover system 3700 by using tokens 115. First, system 3800 may be operableto align the function of tokens 115 with the appropriate OSI layerassociated with the tokens 115. Second, system 3800 may leverage theadvances made in token 115 technologies to improve security functions.Third, system 3800 may perform session control via session specificpolicies using tokens 115. Fourth, system 3800 may leverage the mappingof tokens 115 to attributes 425 for more efficient processing. Fifth,system 3800 may use tokens 115 to quickly and efficiently computeIdentity Assurance levels 940, trust levels 920, integrity levels 910,and risk levels 930 to make access decisions 900.

FIGS. 39 and 40 illustrate the system 100 performing real-timeauthentication using subject token combinations. In general, during asession a user 112 may have already performed certain forms ofauthentication, and the user 112 may further request access to aresource 145. However, access to the resource 145 may require more formsor different forms of authentication than the user 112 has alreadyprovided. The process of determining which forms of authentication thatuser 112 still needs to perform to access resource 145 is known as realtime authentication using subject token combinations, which is discussedfurther with respect to FIGS. 39 and 40.

TBAC module 110 may detect the request to access second resource 145 dwhile monitoring a session and determine whether the request for secondresource 145 d requires authentication beyond what user 112 and device114 have already provided. If TBAC module 110 determines that furtherauthentication is required, TBAC module 110 may request the furtherauthentication. TBAC module 110 may determine whether any subsequentlyprovided authentication is sufficient to grant access to second resource145 d. If the later provided authentication is sufficient, access tosecond resource 145 d may be granted.

FIG. 39 illustrates the system 100 of FIG. 1 performing real-timeauthentication using subject token combinations. As provided in FIG. 39,TBAC module 110 may have correlated first resource token 115 c 1,subject token 115 k, among others, as appropriate to session token 115 jthus indicating that user 112 and/or device 114 have been identified andhave been granted access to first resource 145 c. First resource token115 c 1 may represent first resource 145 c, and subject token 115 k mayrepresent the authentication provided by user 112 and/or device 114 inorder to access first resource 145 c. In particular embodiments,multiple subject tokens 115 k may represent the authentication providedby user 112 and/or device 114 in order to access first resource 145 c.User 112 and/or device 114 may request access to second resource 145 d.In response, TBAC module 110 may receive a second resource token 115 c 2and risk token 115 m. Second resource token 115 c 2 may represent secondresource 145 d. Risk token 115 m may represent the risk associated withgranting the user 112 or device 114 access to second resource 145 d.

In particular embodiments, TBAC module 110 may store authN rules 3930 inmemory 134. AuthN rules 3930 may specify when further authentication isrequired to access a resource 145. As an example and not by way oflimitation, particular authN rules 3930 may specify that an extra formof authentication, such as biometric authentication, must be performedto grant access to second resource 145 d. In that example, if TBACmodule 110 has stored a subject token 115 k that indicates that user 112or device 114 has performed biometric authentication, then access tosecond resource 145 d may be granted. However, if biometricauthentication has not been performed, then TBAC module 110 may requestuser 112 or device 114 to perform biometric authentication beforegranting access to second resource 145 d.

TBAC module 110 may use second resource token 115 c 2, risk token 115 m,subject token 115 k, among others as appropriate, to access authN rules3930. In particular embodiments, TBAC module 110 may use these tokens115 to determine at least one authN rule 3930 that applies to secondresource 145 d. The at least one authN rule 3930 may specify the subjecttokens 115 k required to grant access to second resource 145 d. Inparticular embodiments, these specified subject tokens 115 k mayrepresent the forms of authentication that user 112 and/or device 114have to perform to access second resource 145 d. TBAC module 110 maycompare the subject tokens 115 k specified by the at least one authNrule 3930 with the subject tokens already provided by user 112 and/ordevice 114 to determine a missing subject token 115 k 4. In particularembodiments, the missing subject token 115 k 4 may represent a form ofuser authentication and/or a form of device authentication that user 112and/or device 114 have to perform to access second resource 145 d. As anexample and not by way of limitation, missing subject token 115 k 4 mayrepresent biometric authentication. If TBAC module 110 determines thatthe missing form of user authentication and/or device authentication hasbeen performed, then TBAC module 110 may grant access to second resource145 d.

Based on the determination of the missing subject token 115 k 4, TBACmodule 110 may deny access to second resource 145 d and request that theuser 112 or device 114 perform the form of authentication represented bymissing subject token 115 k 4. TBAC module 110 may receive missingsubject token 115 k 4 from a token provider, such as for example, apublic token provider 126 or private token provider 128. In particularembodiments, TBAC module 110 may generate and transmit a message to thedevice 114 stating that access to second resource 145 d has been deniedand indicating the missing form of user authentication and/or deviceauthentication that needs to be performed in order for access to secondresource 145 d to be granted. The message may be in the form of a token115, and TBAC module 110 may transmit the token 115 first to a tokenprovider, such as the private token provider 128, en route to the device114.

In response, user 112 or device 114 may perform the form ofauthentication represented by missing subject token 115 k 4. TBAC module110 may then receive missing subject token 115 k 4 from a token providersuch as private token provider 128 or public token provider 126.Receiving the missing subject token 115 k 4 may indicate to TBAC module110 that the missing form of user authentication and/or deviceauthentication has been performed. After receiving missing subject token115 k 4, TBAC module 110 may determine that missing subject token 115 k4 represents the form of authentication required to grant access tosecond resource 145 d. TBAC module 110 may then associate missingsubject token 115 k 4 with session token 115 j and further grant accessto second resource 145 d.

The illustration of system 100 in FIG. 39 does not specificallyillustrate all the elements from the illustration of system 100 in FIG.1 so that particular aspects of system 100 may be emphasized. However,system 100 of FIG. 39 includes all the elements of system 100 in FIG. 1.

FIG. 40 is a flowchart illustrating a method 4000 of performingreal-time authentication using subject token combinations. TBAC module110 may perform method 4000. TBAC module 110 may begin by storing a hardtoken 115 g, compliance token 115 h, VM token 115 i, subject token 115k, and first resource token 115 c 1, among others as appropriate, as aplurality of tokens 115 in step 4010. In particular embodiments, firstresource token 115 c 1 may be associated with a first resource 145 c towhich TBAC module 110 has granted access. In step 4020, TBAC module 110may detect that access to a second resource 145 d has been requested. Inresponse, TBAC module 110 may access authN rules 3930 in step 4030.AuthN rules 3930 may be used to determine if access to second resource145 d should be granted. Based on authN rules 3930, TBAC module 110 maydetermine if the stored subject token 115 k is sufficient to grantaccess to second resource 145 d in step 4040. If the stored subjecttoken 115 k is sufficient to grant access to second resource 145 d, thenTBAC module 110 may grant access to the second resource 145 d in step4070.

However, if the stored subject token 115 k is not sufficient to grantaccess to second resource 145 d, then TBAC module 110 may determinebased on authN rules 3930 a missing form of user authentication ormissing form of device authentication required to grant access to secondresource 145 d in step 4050. In particular embodiments, TBAC module 110may then request the missing form of user authentication or the missingform of device authentication in step 4055. In response, TBAC module 110may receive a missing subject token 115 k 4. Based on the missingsubject token 115 k 4 and the authN rules 3930, TBAC module 110 maydetermine if the missing form of user authentication and the missingform of device authentication have been performed in step 4060. If themissing forms of authentication have not been performed, TBAC module 110may deny access to the resource in step 4080. However, if the missingform of user authentication and/or the missing form of deviceauthentication have been performed, then TBAC module 110 may grantaccess to the second resource 145 d in step 4070.

In particular embodiments because TBAC module 110 may perform real-timeauthentication using subject token combinations, system 100 may providea more robust process of determining access to multiple resources 145.Furthermore, because TBAC module 110 examines tokens 115 to determineaccess to multiple resources 145, TBAC module 110 may provide a fasterand more efficient process of determining access to a resource 145.

FIGS. 41 and 42 illustrate the system 100 of FIG. 1 performing sessionvalidation. In general, access to resource 145 may be associated with asession. The process of generating and maintaining sessions is known assession validation, which will be discussed further with respect toFIGS. 41 and 42.

TBAC module 110 may generate a session token 115 j in response todetermining that access to a resource should be granted. TBAC module 110may further determine that events that affect session 115 j haveoccurred, and terminate the session and the corresponding session token115 j.

FIG. 41 illustrates the system 100 of FIG. 1 performing sessionvalidation. As provided by FIG. 41, TBAC module 110 may store subjecttoken 115 k, network token 115 f, among others as appropriate. Inparticular embodiments, TBAC module 110 may receive resource token 115 cindicating that a user 112 and/or device 114 have requested access to aresource 145. TBAC module 110 may determine that access to the resourcehas been requested in response to receiving resource token 115 c.

In particular embodiments, TBAC module 110 may use session rules 4130stored in memory 134 to determine whether access to resource 145 shouldbe granted. TBAC module 110 may use subject token 115 k, network token115 f, resource token 115 c, among others as appropriate, to accesssession rules 4130. In particular embodiments, TBAC module 110 may useone or more of these tokens 115 to determine at least one session rule4130 applicable to resource 145. The at least one session rule 4130 mayspecify conditions under which access to resource 145 may be granted. Inparticular embodiments, the at least one session rule 4130 may specifythat access to resource 145 may be granted if a particular token 115 ispresent. For example, the at least one session rule 4130 may specifythat access to resource 145 may be granted to user 112 if a subjecttoken 115 k indicating that user 112 has performed biometricauthentication is present. As another example, the at least one sessionrule 4130 may specify that access to a resource 145 may be granted touser 112 if a subject token 115 k indicating that user 112 is at aparticular geographic location is present. Other examples of conditionsspecified by the at least one session rule 4130 will be discussed withrespect to FIGS. 59-68.

TBAC module 110 may apply the at least one session rule 4130 anddetermine whether the condition specified by the at least one sessionrule 4130 has been met. For example, TBAC module 110 may determinewhether the particular token 115 specified by the at least one sessionrule 4130 is present. If the particular token 115 is not present, TBACmodule 110 may deny access to resource 145. In particular embodiments,TBAC module 110 may request the particular token 115 and receive a token115 in response to that request. TBAC module 110 may then determine ifthe received token 115 is the particular token 115. If not, TBAC module110 may deny access to resource 145. If the particular token 115 isalready present or if the received token 115 is the particular token115, TBAC module 110 may grant access to resource 145.

In particular embodiments, TBAC module 110 may further generate asession token 115 j in response to the determination that the particulartoken 115 specified by the at least one session rule 4130 is present.The at least one session rule 4130 may specify how to generate sessiontoken 115 j. In particular embodiments, the at least one session rule4130 may specify that session token 115 j should be generated based onparticular tokens 115. For example, the at least one session rule 4130may specify that session token 115 j should be generated by hashingresource token 115 c and subject token 115 k. As another example, the atleast one session rule 4130 may specify that session token 115 j shouldbe generated by hashing resource token 115 c and network token 115 f.

In particular embodiments, TBAC module 110 may apply the at least onesession rule 4130 to generate session token 115 j. For example, TBACmodule 110 may hash resource token 115 c and network token 115 f togenerate session token 115 j. As another example, TBAC module 110 mayhash resource token 115 c and subject token 115 k to generate sessiontoken 115 j. Although this disclosure describes TBAC module 110performing particular operations on particular tokens 115 to generatesession token 115 j, this disclosure contemplates TBAC module 110performing any appropriate operation on any number and combination oftokens 115 to generate session token 115 j. For example, TBAC module 110may perform a logical union on three or more tokens 115 to generatesession token 115 j. As another example, TBAC module 110 may compressthree or more tokens 115 to generate session token 115 j.

In particular embodiments, TBAC module 110 may receive an event token115 x. Event token 115 x may indicate the occurrence of an eventaffecting the risk associated with granting access to the resource 145.As an example and not by way of limitation, event token 115 x mayindicate that an unauthorized connection has been attempted. As anotherexample and not by way of limitation, event token 115 x may indicatethat an element of system 100 has been infected by a virus. Althoughthis disclosure describes event token 115 x indicating particularevents, this disclosure contemplates event token 115 x indicating anyappropriate event affecting the risk of granting access to resource 145.Further examples of events indicated by event token 115 x will bediscussed with respect to FIGS. 59-68. TBAC module 110 may determinethat the event has occurred in response to receiving event token 115 x.

In particular embodiments, the at least one session rule 4130 mayspecify that access to resource 145 should be terminated when eventtoken 115 x indicating that the event occurred is present. TBAC module110 may apply the at least one session rule 4130 to determine thataccess to resource 145 should be terminated in response to receivingevent token 115 x. TBAC module 110 may then terminate the session token115 j associated with access to resource 145 in response to thedetermination that access to the resource 145 should be terminated. Toterminate session token 115 j, TBAC module 110 may delete session token115 j, uncorrelate session token 115 j from subject token 115 k, networktoken 115 f, among others as appropriate; modify session token 115 j toreflect termination of access to resource 145; and/or any otherappropriate action with respect to session token 115 j. TBAC module 110may then terminate access to resource 145.

In particular embodiments, TBAC module 110 may handle a transaction 4140prior to terminating access to resource 145. TBAC module 110 maydetermine prior to terminating access to resource 145 that there is anincomplete transaction 4140 associated with resource 145. In particularembodiments, TBAC module 110 may complete transaction 4140 beforeterminating access to resource 145. As an example and not by way oflimitation, user 112 may be uploading data as part of the transaction4140 with resource 145. TBAC module 110 may complete the upload beforeterminating access to resource 145.

In particular embodiments, TBAC module 110 may halt the transaction 4140prior to terminating access to resource 145. As an example and not byway of limitation, user 112 may be transferring funds as part of thetransaction 4140 with resource 145. TBAC module 110 may halt the fundstransfer before terminating access to resource 145. TBAC module 110 maythen continue the transaction 4140 if access to resource 145 issubsequently reestablished. To continue the example, TBAC module 110 maycontinue the funds transfer after access to resource 145 has beenreestablished.

In particular embodiments, TBAC module 110 may reestablish access toresource 145 in response to receiving a particular token 115. Theparticular token 115 may be a subject token 115 k, network token 115 f,resource token 115 c, event token 115 x, or any other appropriate token115. The particular token 115 may indicate that the event indicated byevent token 115 x has been resolved. The at least one session rule 4130may specify that access to resource 145 may be reestablished if theparticular token 115 is present. After receiving the particular token115, TBAC module 110 may apply the at least one session rule 4130 todetermine that access to resource 145 should be reestablished. TBACmodule 110 may then reestablish access to the resource 145. Inparticular embodiments, TBAC module 110 may reestablish access bygenerating the session token 115 j and then granting access to resource145.

As an example and not by way of limitation, the at least one sessionrule 4130 may specify that access to resource 145 may be reestablishedif user 112 performs biometric authentication. TBAC module 110 may thenreceive a subject token 115 k indicating that user 112 has performedbiometric authentication. TBAC module 110 may then apply the at leastone session rule 4130 to determine that access to the resource 145should be reestablished. TBAC module 110 may then reestablish access tothe resource 145. As another example and not by way of limitation, theat least one session rule 4130 may specify that access to resource 145may be reestablished if a virus infecting an element of system 100 hasbeen removed. TBAC module 110 may then receive a token 115 indicatingthat the virus has been removed. TBAC module 110 may then apply the atleast one session rule 4130 to determine that access to resource 145should be reestablished. TBAC module 110 may then reestablish access tothe resource 145. Although this disclosure describes TBAC module 110reestablishing access in response to particular actions or events, thisdisclosure contemplates TBAC module 110 reestablishing access inresponse to any appropriate action or event. Other examples of actionsand events will be discussed further with respect to FIGS. 59-68.

In particular embodiments, another element of system 100 such asresource provider 140 may grant, deny, or terminate access to resource145. TBAC module 110 may instruct that element of system 100 whether togrant, deny, or terminate access. In particular embodiments, TBAC module110 may generate a decision token 115 n representing a determinationmade by TBAC module 110. For example, in response to determining thataccess to resource 145 should be granted, TBAC module 110 may generate adecision token 115 n indicating that access to resource 145 should begranted. As another example, in response to determining that access toresource 145 should be terminated, TBAC module 110 may generate adecision token 115 n indicating that access to resource 145 should beterminated.

As another example, user 112 may decide to terminate access to resource145. TBAC module 110 may receive a token 115 such as a subject token 115k indicating that user 112 wants to terminate access to resource 145. Inresponse, TBAC module 110 may generate a decision token 115 n indicatingthat access to resource 145 should be terminated.

In particular embodiments, TBAC module 110 may transmit decision token115 n to an appropriate element of system 100, such as resource provider140. In response to receiving decision token 115 n, the appropriateelement of system 100 may carry out the decision indicated by decisiontoken 115 n. For example, in response to receiving decision token 115 n,resource provider 140 may grant, deny, terminate, and/or take any otherappropriate action with respect to resource 145 as indicated by decisiontoken 115 n.

The illustration of system 100 in FIG. 41 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 41 includes all the elements of system 100in FIG. 1.

FIG. 42 is a flowchart illustrating a method 4200 of performing sessionvalidation. TBAC module 110 may perform method 4200. TBAC module 110 maybegin by storing a subject token 115 k, network token 115 f, amongothers as appropriate, in step 4205. In step 4210 TBAC module 110 maydetermine that access to a resource 145 has been requested. Inparticular embodiments, TBAC module 110 may receive a resource token 115c indicating that access to resource 145 has been requested. In responseto receiving resource token 115 c, TBAC module 110 may determine thataccess to resource 145 has been requested.

TBAC module 110 may continue to step 4215 and access session rules 4130.In particular embodiments, TBAC module 110 may use one or more of thepreviously described tokens 115 to access session rules 4130, and todetermine at least one session rule 4130 applicable to resource 145. Theat least one session rule 4130 may specify that access to resource 145may be granted if a particular token 115 is present. In step 4220, TBACmodule 110 may determine whether the particular token 115 specified bythe at least one session rule 4130 is present.

If the particular token 115 is not present, TBAC module 110 may continueto step 4231 and request the token 115 specified by the at least onesession rule 4130. In step 4232, TBAC module 110 may receive a token 115in response to that request. TBAC module 110 may then determine whetherthe received token 115 is the token 115 specified by the at least onesession rule 4130 in step 4233. If the received token 115 is thespecified token 115, TBAC module 110 may continue to step 4225. If not,TBAC module 110 may deny access to the resource 145 in step 4235.

If the particular token 115 specified by the at least one session rule4130 is present, TBAC module 110 may generate a session token 115 j instep 4225. In particular embodiments, TBAC module 110 may generatesession token 115 j by combining the particular token 115 specified bythe at least one session rule 4130 with one or more of the tokens 115stored in step 4205. For example, TBAC module 110 may hash theparticular token 115 with a subject token 115 k stored in step 4205 togenerate session token 115 j. Hashing the particular token 115 with asubject token 115 k may generate a session token 115 j that can beeasily associated with the particular token 115 and the subject token115 k. For example, hashing the particular token 115 with the subjecttoken 115 k may generate a session token 115 j that representsinformation from both subject token 115 k and the particular token 115.By examining the information represented by session token 115 j, TBACmodule 110 may associate session token 115 j to the particular token 115and to the subject token 115 k. TBAC module 110 may then continue tostep 4230 to grant access to resource 145. As part of granting access toresource 145, TBAC module 110 may correlate session token 115 j with oneor more of the tokens 115 stored in step 4205.

In particular embodiments, user 112 may decide to terminate access toresource 145. In step 4240, TBAC module 110 may determine whether user112 wants to terminate access to resource 145. TBAC module 110 mayreceive a request from user 112 and/or device 114 to terminate access toresource 145. In response, TBAC module 110 may terminate the sessiontoken in step 4241. In particular embodiments, TBAC module 110 mayterminate session token 115 j by deleting session token 115 j. In otherembodiments, TBAC module 110 may terminate session token 115 j byuncorrelating it with one or more stored tokens 115. TBAC module 110 mayalso modify session token 115 j to terminate session token 115 j. Instep 4242, TBAC module 110 may then terminate access to resource 145. Inthis manner, TBAC module 110 may terminate access to resource 145 inresponse to a request from user 112 and/or device 114.

If user 112 does not want to terminate access, TBAC module 110 maydetermine that an event affecting the risk associated with grantingaccess to resource 145 has occurred. In particular embodiments, TBACmodule 110 may receive an event token 115 x indicating the occurrence ofan event affecting the risk associated with granting access to resource145. In response to receiving event token 115 x, TBAC module 110 maydetermine that the event has occurred.

TBAC module 110 may then continue to step 4245 to determine whetheraccess to resource 145 should be terminated due to the event. Inparticular embodiments, the at least one session rule 4130 may specifywhether access should be terminated due to the event. If the at leastone session rule 4130 specifies that access should be terminated due tothe event, TBAC module 110 may apply the at least one session rule 4130to terminate access. If access to resource 145 should not be terminated,TBAC module 110 may continue granting access to resource 145 in step4246.

If access to resource 145 should be terminated, TBAC module 110 maycontinue to step 4250 to determine whether there is an incompletetransaction 4140 associated with resource 145. If there is an incompletetransaction 4140, TBAC module 110 may complete the transaction 4140 instep 4255. In particular embodiments, instead of completing thetransaction 4140, TBAC module 110 may halt the transaction 4140.

If there is not an incomplete transaction 4140, or after completingand/or halting the transaction 4140, TBAC module 110 may continue toterminate the session token 115 j in step 4260. In particularembodiments, TBAC module 110 may terminate session token 115 j bydeleting session token 115 j. In other embodiments, TBAC module 110 mayterminate session token 115 j by uncorrelating it with one or morestored tokens 115. TBAC module 110 may also modify session token 115 jto terminate session token 115 j. In step 4265 TBAC module 110 may thenterminate access to resource 145. In this manner, TBAC module 110 mayterminate access to resource 145 in response to the occurrence of theevent.

After access has been terminated, TBAC module 110 may receive a token115 indicating that the event affecting the risk associated withgranting access to the resource 145 has been resolved in step 4266. Instep 4270, TBAC module 110 may determine whether access to resource 145should be reestablished in response to receiving that token 115. Inparticular embodiments, the at least one session rule 4130 may specifythat access to resource 145 may be reestablished if a particular token115, such as a subject token 115 k, is present. TBAC module 110 mayreceive the particular token 115 in step 4266, and apply the at leastone session rule 4130 to determine that access to resource 145 should bereestablished. TBAC module 110 may then reestablish access to theresource 145 by generating a session token 115 j in step 4225. However,if TBAC module 110 determines that access should not be reestablished,TBAC module 110 end method 4200.

FIGS. 59-68 are flowcharts describing particular methods involvingsession validation, In general, TBAC module 110 may perform certainvariations of session validation as described with respect to FIGS. 41and 42. These variations may affect the generation of the session token115 j or the termination of session token 115 j.

Variations that affect the generation of session token 115 j includeaccessing protected resources, uncontrolled devices, accessing mainframeresources, accessing third party resources, third party sessionvalidation, network session validation, and object transaction sessionvalidation. During accessing protected resources, TBAC module 110 maygenerate a session token 115 j based at least upon a subject token 115 kassociated with device 114. This function is discussed further withrespect to FIG. 59. During session validation of uncontrolled devices,TBAC module 110 may generate a session token 115 j based at least upon asubject token 115 k associated with the unsecured device and anothersubject token 115 k indicating a timeout. This function will bediscussed further with respect to FIG. 60. During accessing mainframeresources, TBAC module 110 may generate a session token 115 j based atleast upon a token 115 indicating a password and a geographic locationof device 114. This function will be discussed further with respect toFIG. 61. During accessing third party resources, TBAC module 110 maygenerate a session token 115 j based at least upon a token 115associated with a subscriber identity module of device 114.

This function will be discussed further with respect to FIG. 62. Duringthird party session validation, TBAC module 110 may generate a sessiontoken 115 j based at least upon a token 115 requested from an entity dueto the geographic location of device 114. This function will bediscussed further with respect to FIG. 63. During network sessionvalidation, TBAC module 110 may generate a session token 115 j based atleast upon a token 115 indicating that the resource 145 is associatedwith a virtual private network. This function will be discussed furtherwith respect to FIG. 64. During object transaction session validation,TBAC module 110 may detect a transaction and generate a session token115 j based on a token 115 associated with the transaction. Thisfunction will be discussed further with respect to FIG. 68.

Variations that affect the termination of session token 115 j includeemergency session validation, subject recognition session validation,and object security session validation. During emergency sessionvalidation, TBAC module 110 may terminate session token 115 j based atleast upon a token 115 indicating that an emergency has been declared.This function will be discussed further with respect to FIG. 65. Duringsubject recognition session validation, TBAC module 110 may terminatesession token 115 j based at least upon a token 115 indicating that aface or a voice other than the authorized user's has been detected. Thisfunction will be discussed further with respect to FIG. 66. Duringobject security session validation, TBAC module 110 may terminatesession token 115 j based at least upon a token 115 indicating an alarmassociated with device 114 has triggered. This function will bediscussed further with respect to FIG. 67.

FIG. 59 illustrates a method of performing session validation to accessprotected resources. In general, TBAC module 110 may receive requestsfor resources 145 that are protected, such as confidential resources,from a device 114. TBAC module 110 may grant access to the protectedresource 145 if the device 114 has been authorized to access theprotected resource 145. More details will be provided in the descriptionof FIG. 59.

FIG. 59 is a flowchart illustrating a method 5900 of performing sessionvalidation to access protected resources 145. TBAC module 110 mayperform method 5900. TBAC module 110 may begin by storing a plurality oftokens 115 in step 5905. In step 5910 TBAC module 110 may determine thata device 114 has requested access to a resource 145. In particularembodiments, TBAC module 110 may receive a resource token 115 cindicating that user 112 and/or device 114 has requested access toresource 145. TBAC module 110 may determine that user 112 and/or device114 has requested access to resource 145 in response to receivingresource token 115 c.

In step 5915, TBAC module 110 may determine that the resource 145 is aconfidential resource 145. In particular embodiments, resource token 115c may indicate that resource 145 is a confidential resource 145. TBACmodule 110 may determine that resource 145 is a confidential resource145 based on resource token 115 c. Examples of confidential resources145 may include documents that include confidential or secretinformation or any other type of resource 145 that includes confidentialor secret information. Owners and/or administrators of resource 145 maydesignate resource 145 as a confidential resource 145 to restrict accessto resource 145 to a limited group of users 112 and/or devices 114. Thislimited group of users 112 and/or devices 114 may be allowed to accessadditional resources 145, such as confidential resources 145, to whichgeneral users 112 and/or devices 114 may not have access. For example, acompany may keep a database that logs conversations amongst itsofficers. The company may wish to designate the database as confidentialin order to limit access to the database to its officers. As anotherexample, the company may want to limit access to the company networkpasswords to its IT staff. The company may designate the networkpasswords as confidential so that general employees and officers cannotaccess them. Although this disclosure describes a confidential resource145 as particular resources 145, this disclosure contemplatesconfidential resource 145 being any resource 145 that general users 112and/or devices 114 of system 100 are restricted from accessing.

In step 5920, TBAC module 110 may access session rules 4130. Inparticular embodiments, TBAC module 110 may use the plurality of tokens115 and the resource token 115 c to access session rules 4130. TBACmodule 110 may use one or more of these tokens to determine at least onesession rule 4130 applicable to resource 145. In particular embodiments,the at least one session rule 4130 may specify that access to resource145 may be granted if a particular token 115 is present. The particulartoken 115 may indicate that the device 114 is authorized to accessconfidential resources 145.

As an example and not by way of limitation, confidential resource 145may be owned by a company. The company may wish to grant onlycompany-provisioned devices 114 access to confidential resource 145. Acompany-provisioned device 114 may be a device 114 that the company hasprovisioned with the necessary security features to access confidentialresources 145. A company-provisioned device 114 may also be a device 114that the company has examined and determined to have the necessarysecurity features to access confidential resources 114. As a result, theat least one session rule 4130 may specify that access to confidentialresource 145 may be granted if a particular token 115 indicating thatthe device 114 is a company-provisioned device is present.

For example, the company may keep confidential sales data for use by itssales force. The company may designate the sales data as confidentialand set up the at least one session rule 4130 applicable to the salesdata to limit access to laptops, phones, and other mobile devices thatthe company has provisioned to its sales force. When an employee on thesales force requests access to the sales data from his company laptop,TBAC module 110 may determine that the requesting device 114 is a laptopprovisioned by the company to its sales force. TBAC module 110 may thenapply the at least one session rule 4130 and grant access to the salesdata. When the employee on the sale forces requests access to the salesdata from his personal laptop, TBAC module 110 may determine that therequesting device 114 is not a company-provisioned device 114. TBACmodule 110 may then apply the at least one session rule 4130 and denyaccess to the sales data.

In step 5925, TBAC module 110 may apply the at least one session rule4130 to determine whether the device 114 is authorized to accessconfidential resources 145. In particular embodiments, TBAC module 110may make this determination by determining whether a token 115indicating that device 114 is authorized to access confidentialresources 145 is present. To continue a previous example, to determinewhether device 114 is authorized to access confidential resources 145,TBAC module 110 may determine whether a particular token 115 such assubject token 115 k indicating that the device 114 is acompany-provisioned device is present.

If TBAC module 110 determines that the device 114 is not authorized toaccess confidential resources 145, TBAC module 110 may request theparticular token 115 in step 5936. Any appropriate element of system 100such as the token providers may respond to the request. TBAC module 110may receive a token 115 in response to the request in step 5937. In step5938, TBAC module 110 may determine whether the received token 115 isthe particular token 115. If not, TBAC module 110 deny access to theresource 145 in step 5940. If the received token 115 is the particulartoken 115, and thus the device 114 is authorized to access confidentialresources 145, then TBAC module 110 may continue to step 5930.

If TBAC module 110 determines that the device 114 is authorized toaccess confidential resources 145, TBAC module 110 may generate asession token 115 j in step 5930. In particular embodiments, the atleast one session rule 4130 may specify that session token 115 j shouldbe generated based at least upon the particular token 115 indicatingthat device 114 is authorized to access confidential resources 145 andone or more of the plurality of tokens stored in step 5905. For example,the at least one session rule may specify that session token 115 jshould be generated by combining the particular token 115 and one ormore of the plurality of tokens stored in step 5905. As another example,the at least one session rule 4130 may specify that session token 115 jshould be generated by hashing the particular token 115 and one or moreof the plurality of the tokens stored in step 5905.

In step 5935, TBAC module 110 may grant access to resource 145. Inparticular embodiments, TBAC module 110 may correlate session token 115j with one or more of the plurality of tokens 115 stored in step 5905 inconjunction with granting access to the resource 145. In this manner,TBAC module 110 may generate a session associated with accessing aconfidential resource 145.

In particular embodiments, user 112 may decide to terminate access toconfidential resource 145. In step 5941, TBAC module 110 may determinewhether user 112 has requested to terminate access to resource 145. TBACmodule 110 may receive a request from user 112 and/or device 114 toterminate access to resource 145. In response, TBAC module 110 mayterminate the session token in step 5942. In particular embodiments,TBAC module 110 may terminate session token 115 j by deleting sessiontoken 115 j. In other embodiments, TBAC module 110 may terminate sessiontoken 115 j by uncorrelating it with one or more stored tokens 115. TBACmodule 110 may also modify session token 115 j to terminate sessiontoken 115 j. In step 5943, TBAC module 110 may then terminate access toresource 145. In this manner, TBAC module 110 may terminate access toresource 145 in response to a request from user 112 and/or device 114.

TBAC module 110 may determine that an event affecting the riskassociated with granting access to the confidential resource 145 hasoccurred. In particular embodiments, TBAC module 110 may receive anevent token 115 x indicating the occurrence of the event. TBAC module110 may determine that the event has occurred in response to receivingevent token 115 x. For example, event token 115 x may indicate that thecompany-provisioned device 114 accessing the confidential resource 145has been infected by a virus or that the company-provisioned device 114has not received the latest software and security updates.

In step 5950, TBAC module 110 may determine whether access to theresource 145 should be terminated due to the event. In particularembodiments, the at least one session rule 4130 may specify whetheraccess to the resource 145 should be terminated in response to theevent. Terminating access to resource 145 may be desirable if the eventincreases the risk associated with granting access to the resource to anunacceptable level. TBAC module 110 may apply the at least one sessionrule 4130 to determine whether access to the resource 145 should beterminated. If access to the resource 145 should not be terminated, TBACmodule 110 may continue granting access to the resource in 5935.

If access to the resource 145 should be terminated, TBAC module 110 mayterminate the session token 115 j in step 5955. In particularembodiments, terminating the session token 115 j may include deletingthe session token 115 j, uncorrelating session token 115 j from one ormore of the plurality of tokens 115 stored in step 5905, modifyingsession token 115 j, and/or any other appropriate action taken withrespect to session token 115 j. TBAC module 110 may then terminateaccess to the confidential resource 145 in step 5960. In this manner,TBAC module 110 may terminate access to confidential resource 145 inresponse to the occurrence of the event.

In step 5965, TBAC module 110 may determine whether access to theconfidential resource 145 should be reestablished. In particularembodiments, the at least one session rule 4130 may specify that accessto resource 145 should be reestablished if a token 115 indicating thatthe event has been resolved is present. For example, TBAC module 110 mayreceive a token 115 indicating that the company-provisioned device is nolonger infected by a virus or that the company-provisioned has installedthe latest software and security updates. TBAC module 110 may receivethe token 115 in step 5961 and apply the at least one session rule 4130to determine that access to resource 145 should be reestablished. IfTBAC module 110 determines that access to resource 145 should bereestablished, TBAC module 110 may continue to step 5930. However, ifTBAC module 110 determines that access to the resource 145 should not bereestablished, TBAC module 110 may end method 5900.

FIG. 60 illustrates a method of performing session validation foruncontrolled devices. In general, TBAC module 110 may receive requestsfor resource 145 from uncontrolled devices 114, such as Internet kiosksand public workstations. TBAC module 110 may grant access to theuncontrolled devices 114 if the uncontrolled device 114 has not exceededa timeout. More details will be provided in the description of FIG. 60.

FIG. 60 illustrates a method 6000 of performing session validation foruncontrolled devices 114. TBAC module 110 may perform method 6000. TBACmodule 110 may begin by storing a plurality of tokens 115 in step 6005.In step 6010 TBAC module 110 may determine that a device 114 hasrequested access to a resource 145. In particular embodiments, TBACmodule 110 may receive a resource token 115 c indicating that device 114has requested access to resource 145. Resource 145 may be anyappropriate resource 145. TBAC module 110 may determine that device 114has requested access to resource 145 in response to receiving resourcetoken 115 c.

In step 6015, TBAC module 110 may determine that the device 114 is anunsecured device 114. In particular embodiments, TBAC module 110 maydetermine that the device 114 is an unsecured device 114 based on asubject token 115 k associated with device 114. TBAC module 110 mayreceive subject token 115 k from a token provider such as private tokenprovider 128 or public token provider 126. Examples of unsecured devicesinclude internet kiosks, public work stations, devices 114 with fewsecurity features, and/or devices 114 that are accessible by the publicsuch as library computers, ATMs, and rental laptops. Unsecured devices114 may also be devices 114 that lack the ability to authenticate users112 such as cash registers. In particular embodiments, it may bedesirable to limit the access granted to unsecured devices 114 in orderto reduce security risks associated with granting access to an unsecureddevice 114. For example, unsecured devices 114 are more prone to beingexposed to hackers and thieves. By limiting access to resource 145, itmay reduce the time that hackers and thieves have to hack and stealinformation.

In step 6020, TBAC module 110 may access session rules 4130. Inparticular embodiments, TBAC module 110 may use resource token 115 c,subject token 115 k, or one or more of the plurality of tokens 115stored in step 6005 to access session rules 4130. TBAC module 110 mayuse one or more of these tokens 115 to determine at least one sessionrule 4130 applicable to resource 145.

In particular embodiments, the at least one session rule 4130 mayspecify that access to resource 145 by unsecured devices 114 should belimited. For example, the at least one session rule 4130 may specifythat unsecured devices 114 should only be allowed to access resource 145for a certain period of time. In particular embodiments, this period oftime may be based upon the device 114, the user 112, and/or the resource145. For example, the at least one session rule 4130 may limit access toa bank account from unsecured devices 114 to a few minutes because theinformation contained in the bank account may be sensitive andconfidential. As another example, the at least one session rule 4130 maylimit access to a book from unsecured devices to a few hours because thebook may not contain sensitive or confidential information. In boththese examples, a user 112 who identifies himself as an administratormay be granted more time to these resources 145 than a general user 112.In particular embodiments, the at least one session rule 4130 mayspecify a timeout associated with the resource 145 and the unsecureddevice 114 that limits the amount of time unsecured device 114 mayaccess resource 145.

In step 6025, TBAC module 110 may apply the at least one session rule4130 and determine whether a timeout associated with the device 114 hasbeen exceeded. In particular embodiments, TBAC module 110 may determinewhether the timeout has exceeded based on a subject token 115 kassociated with device 114. The subject token 115 k may indicate anamount of time that unsecured device 114 has been accessing resource 145or an amount of time that unsecured device 114 has been active. TBACmodule 110 may compare this time with the timeout indicated by the atleast one session rule 4130 to determine whether the timeout has beenexceeded.

If TBAC module 110 determines that the timeout has been exceeded, TBACmodule 110 may continue to step 6041 to request that the timeout berefreshed. In particular embodiments, TBAC module 110 may make thisrequest by requesting a token 115 indicating that the timeout has beenrefreshed. User 112 and/or device 114 may perform a series of steps torefresh the timeout. For example, user 112 may answer a prompt torefresh the timeout. As another example, user 112 and/or device 114 mayperform a form of authentication, such as supplying a password, torefresh the timeout. After the timeout has been refreshed, TBAC module110 may receive the token 115 indicating that the timeout has beenrefreshed in step 6042.

After TBAC module 110 receives the token 115, TBAC module 110 maydetermine, based on the received token 115, whether the timeout has beenrefreshed in step 6043. If the timeout has not been refreshed, TBACmodule 110 may deny access to resource 145 in step 6040. If the timeouthas been refreshed, TBAC module 110 may continue to step 6030.

If TBAC module 110 determines that the timeout has not been exceeded orthat the timeout has been refreshed, TBAC module 110 may generate asession token 115 j in step 6030. In particular embodiments, the atleast one session rule 4130 may specify that session token 115 j shouldbe generated based at least upon the resource token 115 c, subject token115 k, and/or one or more of the plurality of tokens stored in step6005. For example, the at least one session rule may specify thatsession token 115 j should be generated by hashing resource token 115 cand subject token 115 k. As another example, the at least one sessionrule 4130 may specify that session token 115 j should be generated byhashing resource token 115 c, subject token 115 k, and one or more ofthe plurality of tokens 115 stored in step 6005, such as a network token115 f. TBAC module 110 may then grant access to resource 145 in step6035.

In particular embodiments, user 112 may decide to terminate access toresource 145. In step 6036, TBAC module 110 may determine whether user112 has requested to terminate access to resource 145. TBAC module 110may receive a request from user 112 and/or device 114 to terminateaccess to resource 145. In particular embodiments, TBAC module 110 mayreceive a token 115 indicating that user 112 and/or device 114 haverequested to terminate access. In response, TBAC module 110 mayterminate the session token in step 6050. In particular embodiments,TBAC module 110 may terminate session token 115 j by deleting sessiontoken 115 j. In other embodiments, TBAC module 110 may terminate sessiontoken 115 j by uncorrelating it with one or more stored tokens 115. TBACmodule 110 may also modify session token 115 j to terminate sessiontoken 115 j. In step 6055, TBAC module 110 may then terminate access toresource 145. In this manner, TBAC module 110 may terminate access toresource 145 in response to a request from user 112 and/or device 114.

In step 6045, TBAC module 110 may determine whether the timeout has beenexceeded. In particular embodiments, TBAC module 110 may apply the atleast one session rule 4130 to determine whether the timeout has beenexceeded. TBAC module 110 may compare a time indicated by a subjecttoken 115 k associated with device 114 to a timeout indicated by the atleast one session rule 4130 to determine whether the timeout has beenexceeded. If TBAC module 110 determines that the timeout has not beenexceeded, TBAC module 110 may continue granting access to the resource145.

If TBAC module 110 determines that the timeout has been exceeded, TBACmodule 110 may continue to step 6047 to request that the timeout berefreshed. In particular embodiments, TBAC module 110 may make thisrequest by requesting a token 115 indicating that the timeout has beenrefreshed. User 112 and/or device 114 may perform a series of steps torefresh the timeout. For example, user 112 may answer a prompt torefresh the timeout. As another example, user 112 and/or device 114 mayperform a form of authentication, such as supplying a password, torefresh the timeout. After the timeout has been refreshed, TBAC module110 may receive the token 115 indicating that the timeout has beenrefreshed in step 6048.

After TBAC module 110 receives the token 115, TBAC module 110 maydetermine, based on the received token 115, whether the timeout has beenrefreshed in step 6049. If the timeout has not been refreshed, TBACmodule 110 may continue to step 6050. If the timeout has been refreshed,TBAC module 110 may continue granting access to resource 145 in step6046.

FIG. 61 illustrates a method of performing session validation to accessmainframe resources. In general, TBAC module 110 may receive, from adevice 114, requests for a resource 145 associated with a mainframe.TBAC module 110 may grant access to the resource 145 if a password and ageographic location associated with the device have been provided. Moredetails will be provided in the description of FIG. 61.

FIG. 61 illustrates a method 6100 of performing session validation toaccess mainframe resources 145. TBAC module 110 may perform method 6100.TBAC module 110 may begin by storing a plurality of tokens 115 in step6105. In step 6110, TBAC module 110 may determine that a device 114 hasrequested access to a resource 145. In particular embodiments, TBACmodule 110 may receive a resource token 115 c indicating that device 114has requested access to resource 145. TBAC module 110 may determine thatdevice 114 has requested access to resource 145 in response to receivingresource token 115 c.

In step 6115, TBAC module 110 may determine that resource 145 is amainframe resource 145. In particular embodiments, resource token 115 cmay indicate that resource 145 is a mainframe resource 145. TBAC module110 may determine that resource 145 is a mainframe resource 145 based onresource token 115 c. A mainframe resource 145 may be a resource 145that is generally accessed by a mainframe such as for exampleadministrative tools, hardware management tools, diagnostic tools, andsoftware management tools. Although this disclosure describes particularexamples of mainframe resources 145, this disclosure contemplates anysuitable mainframe resources 145.

In particular embodiments, it may be desirable to limit access tomainframe resources 145 in order to reduce the risk that mainframesettings and functions are tampered. Furthermore, mainframe resourcesmay be costly, so it may be desirable to restrict access so that generalusers 112 do not waste mainframe resources 145. TBAC module 110 maylimit who and from where these resources 145 may be accessed. Forexample, TBAC module 110 may limit access to mainframe resources 145 toadministrators from the administrators' offices. As another example,TBAC module 110 may limit access to mainframe resources 145 to IT stafffrom a mainframe room. In this manner, TBAC module 110 may reduce therisk that an improper or unauthorized change occurs at the hands of ahacker or a tamperer. TBAC module 110 may receive and/or store a subjecttoken 115 k that indicates information related to who and from whereresource 145 may be accessed.

In step 6120, TBAC module 110 may access session rules 4130. Inparticular embodiments, TBAC module 110 may use resource token 115 c,subject token 115 k, and one or more of the plurality of tokens 115stored in step 6105 to access session rules 4130. TBAC module 110 mayuse one or more of these tokens 115 to determine at least one sessionrule 4130 applicable to resource 145.

In particular embodiments, the at least one session rule 4130 mayspecify that access to the mainframe resource 145 may be granted if atoken 115 indicating a password and a geographic location of a device114 used to request access to the resource 145 is present. Whendetermining access to a mainframe resource 145, the password mayidentify a user 112 who may be authorized to access the mainframeresource 145. The geographic location of the device 114 may be used todetermine from where the request is being made. For example, the atleast one session rule 4130 may specify that access to mainframeresources 145 may only be granted to administrators from theadministrators' offices. The password may be used to identify theadministrator and the geographic location may be used to determine ifthe request is coming from the administrator's office. If a token 115indicating a password identifying the administrator and that the requestfor access was made from the administrator's office is present, thenTBAC module 110 may grant access to mainframe resource 145 according tothe at least one session rule. Although this disclosure describes the atleast one session rule 4130 and the token 115 indicating particularexamples of users 112 and geographic locations, this disclosurecontemplates the at least one session rule 4130 and the token 115indicating any appropriate user 112 and any appropriate geographiclocation.

In step 6125, TBAC module 110 may determine whether the token 115indicating a password and geographic location of the device 114 ispresent. In particular embodiments, TBAC module 110 may apply the atleast one session rule 4130 to determine whether the token 115 ispresent. If the token 115 is not present, TBAC module 110 may requestthe token 115 in step 6126. TBAC module 110 may receive a token 115 suchas a subject token 115 k in response to the request in step 6127. If thereceived token 115 is not the token 115 specified by the at least onesession rule 4130, then TBAC module 110 may deny access to the resource145 in step 6140. If the received token 115 is the specified token 115,then TBAC module 110 may continue to step 6130.

If the token 115 is present, TBAC module 110 may generate a sessiontoken 115 j in step 6130. In particular embodiments, the at least onesession rule 4130 may specify that session token 115 j should begenerated based at least upon the resource token 115 c and one or moreof the plurality of tokens stored in step 6105. For example, the atleast one session rule may specify that session token 115 j should begenerated by hashing resource token 115 c and subject token 115 k. Asanother example, the at least one session rule 4130 may specify thatsession token 115 j should be generated by hashing resource token 115 c,subject token 115 k, and one or more of the plurality of tokens 115stored in step 6105, such as network token 115 f. TBAC module 110 maythen grant access to resource 145 in step 6135.

In particular embodiments, user 112 may decide to terminate access toresource 145. In step 6136, TBAC module 110 may determine whether user112 has requested to terminate access to resource 145. TBAC module 110may receive a request from user 112 and/or device 114 to terminateaccess to resource 145. In particular embodiments, TBAC module 110 mayreceive a token 115 indicating that user 112 and/or device 114 haverequested to terminate access. In response, TBAC module 110 mayterminate the session token in step 6155. In particular embodiments,TBAC module 110 may terminate session token 115 j by deleting sessiontoken 115 j. In other embodiments, TBAC module 110 may terminate sessiontoken 115 j by uncorrelating it with one or more stored tokens 115. TBACmodule 110 may also modify session token 115 j to terminate sessiontoken 115 j. In step 6160, TBAC module 110 may then terminate access toresource 145. In this manner, TBAC module 110 may terminate access toresource 145 in response to a request from user 112 and/or device 114.

TBAC module 110 may determine that an event affecting the riskassociated with granting access to resource 145 has occurred. Inparticular embodiments, TBAC module 110 may receive an event token 115 xindicating the occurrence of an event affecting the risk associated withgranting access to resource 145. For example, TBAC module 110 mayreceive an event token 115 x indicating that an alarm in the mainframeroom has triggered thus increasing the risk that unauthorized access tomainframe resource 145 is occurring. As another example, TBAC module 110may receive an event token 115 x indicating that a session has been idlefor too long thus increasing the chances that mainframe resources 145are being wasted. In response to receiving event token 115 x, TBACmodule 110 may determine that the event has occurred.

TBAC module 110 may then continue to step 6150 to determine whetheraccess to resource 145 should be terminated due to the event. Inparticular embodiments, the at least one session rule 4130 may specifywhether access should be terminated due to the event. TBAC module 110may apply the at least one session rule 4130 to determine whether toterminate access to resource 145. If access to resource 145 should notbe terminated, TBAC module 110 may continue granting access to resource145 in step 6141.

If access to resource 145 should be terminated, TBAC module 110 maycontinue to terminate the session token 115 j in step 6151. In step6152, TBAC module 110 may then terminate access to resource 145. In thismanner, TBAC module 110 may terminate access to resource 145 in responseto the occurrence of the event.

In particular embodiments, TBAC module 110 may receive a token 115indicating that the event has been resolved in step 6153. For example,TBAC module 110 may receive a subject token 115 k indicating that a user112 and/or device 114 has performed a form of re-authentication torefresh an idle session. As another example, TBAC module 110 may receivea token 115 indicating that a previously triggered alarm has beenresolved.

In step 6165, TBAC module 110 may determine whether access to resource145 should be reestablished in response to receiving the token 115indicating that the event has been resolved. In particular embodiments,the at least one session rule 4130 may specify that access to resource145 may be reestablished if the token 115 is present. TBAC module 110may receive the particular token 115 and apply the at least one sessionrule 4130 to determine that access to resource 145 should bereestablished. If the token 115 is present, TBAC module may continue tostep 6130. However, if TBAC module 110 determines that access should notbe reestablished, TBAC module 110 may conclude method 6100.

FIG. 62 illustrates a method of performing session validation to accessthird party resources. In general, TBAC module 110 may be notified by anentity that a device 114 has requested access to a resource 145 throughthe entity. TBAC module 110 may grant access to the resource if thedevice 114 has been properly identified by its subscriber identitymodule. More details will be provided in the description of FIG. 62.

FIG. 62 illustrates a method 6200 of performing session invalidation toaccess third party resources 145. TBAC module 110 may perform method6200. TBAC module 110 may begin by storing a plurality of tokens 115 instep 6210. In step 6220, TBAC module 110 may determine that a device 114has requested access to a resource 145. In particular embodiments, TBACmodule 110 may receive a resource token 115 c indicating that device 114has requested access to resource 145. TBAC module 110 may determine thatdevice 114 has requested access to resource 145 in response to receivingresource token 115 c.

In step 6230, TBAC module 110 may determine that device 114 hasrequested access to resource 145 through an entity. In particularembodiments, resource 145 may be under the control or ownership of theentity, and resource token 115 c may have been generated and sent by aprocess initiated by the entity. As an example and not by way oflimitation, a vendor may request payment from a distributor. Thedistributor may then forward the vendor's payment request to TBAC module110. TBAC module 110 may then determine whether the vendor's paymentrequest should be allowed. As another example, a customer may want tomake a purchase from a store. The store may forward the customer'spurchase request to TBAC module 110 to determine if the purchase shouldbe allowed. Although this disclosure describes requests for particulartransactions sent by particular entities, this disclosure contemplatesany appropriate request sent by any appropriate entity.

In particular embodiments, it may be desirable for the entity to rely onTBAC module 110 to determine whether the request should be allowed sothat the entity does not have to invest in its own access controlsystem. It may also be desirable for the entity to rely on TBAC module110 to determine whether the request should be allowed because theentity's access control system may not be as robust as TBAC module 110.For example, the entity may rely upon a username and passwordauthentication scheme to determine whether requests should be allowed.However, TBAC module 110 may consider usernames, passwords, environment,context, resource integrity, and many other factors to determine whetheraccess should be granted.

In step 6240, TBAC module 110 may access session rules 4130. Inparticular embodiments, TBAC module 110 may use resource token 115 c andone or more of the plurality of tokens stored in step 6210 to accesssession rules 4130. TBAC module 110 may use one or more of these tokens115 to determine at least one session rule 4130 applicable to resource145.

In particular embodiments, the at least one session rule 4130 mayspecify that access to resource 145 may be granted if a token 115associated with a subscriber identity module of the device 114 ispresent. Even though device 114 may have provided some form ofauthentication to access resource 145, if the device 114 includes asubscriber identity module then authentication provided by device 114may be more reliable. Although this disclosure describes the at leastone session rule 4130 specifying a particular condition for grantingaccess to resource 145, this disclosure contemplates the at least onesession rule 4130 specifying any appropriate conditions to grant accessto resource 145. For example, TBAC module 110 may consider a form ofauthentication associated with resource 145, such as Kerberosauthentication, to determine whether access should be granted. Asanother example, TBAC module 110 may consider a form of encryptionassociated with network 120 to determine whether access should begranted. A subscriber identity module of device 114 is described as anexample of one of several factors that TBAC module 110 may consider todetermine whether access may be granted.

In step 6245, TBAC module 110 may apply the at least one session rule4130 to determine whether a token 115, such as subject token 115 k,associated with a subscriber identity module of the device 114 ispresent. If the token 115 is present and hence device 114 is associatedwith a subscriber identity module, TBAC module 110 may provide greaterassurance to the entity that the device 114 is authorized to accessresource 145. If the token 115 is not present, TBAC module 110 mayrequest the token 115 in step 6246. After making the request, TBACmodule 110 may receive a token 115 from a token provider such as privatetoken provider 128 or public token provider 126 in step 6247. TBACmodule 110 may then determine if the received token 115 is the token 115specified by the at least one session rule 4130. If it is, TBAC module110 may continue to step 6250. If not, TBAC module 110 may deny accessto resource 145 in step 6260.

If the token 115 is present or has been received, TBAC module 110 maygenerate a session token 115 j in step 6250. In particular embodiments,the at least one session rule 4130 may specify that session token 115 jshould be generated based at least upon the resource token 115 c and oneor more of the plurality of tokens stored in step 6210. For example, theat least one session rule may specify that session token 115 j should begenerated by hashing resource token 115 c and subject token 115 k Asanother example, the at least one session rule 4130 may specify thatsession token 115 j should be generated by hashing resource token 115 c,subject token 115 k, and one or more of the plurality of tokens 115stored in step 6210, such as subject token 115 k. TBAC module 110 maythen grant access to resource 145 in step 6255.

In particular embodiments, user 112 may decide to terminate access toresource 145. In step 6256, TBAC module 110 may determine whether user112 has requested to terminate access to resource 145. TBAC module 110may receive a request from user 112 and/or device 114 to terminateaccess to resource 145. In particular embodiments, TBAC module 110 mayreceive a token 115 indicating that user 112 and/or device 114 haverequested to terminate access. In response, TBAC module 110 mayterminate the session token in step 6257. In particular embodiments,TBAC module 110 may terminate session token 115 j by deleting sessiontoken 115 j. In other embodiments, TBAC module 110 may terminate sessiontoken 115 j by uncorrelating it with one or more stored tokens 115. TBACmodule 110 may also modify session token 115 j to terminate sessiontoken 115 j. In step 6258, TBAC module 110 may then terminate access toresource 145. In this manner, TBAC module 110 may terminate access toresource 145 in response to a request from user 112 and/or device 114.

In particular embodiments, TBAC module 110 may determine that an eventaffecting the risk associated with granting access to resource 145 hasoccurred. In particular embodiments, TBAC module 110 may receive anevent token 115 x indicating the occurrence of an event affecting therisk associated with granting access to resource 145. For example, eventtoken 115 x may indicate that a security breach has occurred at theentity thus increasing the risk that the request sent by the entity wasincorrect or falsified. As another example, event token 115 x mayindicate that device 114 has been infected by a virus thus increasingthe chances that subject token 115 k associated with the subscriberidentity module of device 114 is falsified or erroneous. In response toreceiving event token 115 x, TBAC module 110 may determine that theevent has occurred.

TBAC module 110 may then continue to step 6270 to determine whetheraccess to resource 145 should be terminated due to the event. Inparticular embodiments, the at least one session rule 4130 may specifywhether access should be terminated due to the event. TBAC module 110may apply the at least one session rule 4130 to determine whether toterminate access to resource 145. If access to resource 145 should notbe terminated, TBAC module 110 may continue granting access to resource145 in step 6261.

If access to resource 145 should be terminated, TBAC module 110 maycontinue to terminate the session token 115 j in step 6275. In step6280, TBAC module 110 may then terminate access to resource 145. In thismanner, TBAC module 110 may terminate access to resource 145 in responseto the occurrence of the event.

In particular embodiments, TBAC module 110 may receive a token 115indicating that the event has been resolved in step 6281. For example,the token 115 may indicate that a virus on device 114 has been removedor that a security breach associated with the entity has been resolved.After the event has been resolved, access to resource 145 may bereestablished.

In step 6285, TBAC module 110 may determine whether access to resource145 should be reestablished. In particular embodiments, the at least onesession rule 4130 may specify that access to resource 145 may bereestablished if a particular token 115, such as a subject token 115 k,indicating that the event has been resolved is present. TBAC module 110may receive the particular token 115 and apply the at least one sessionrule 4130 to determine that access to resource 145 should bereestablished. If access should be reestablished, TBAC module 110 maycontinue to step 6250. However, if TBAC module 110 determines thataccess should not be reestablished, TBAC module 110 may conclude method6200.

FIG. 63 illustrates a method of performing third party sessionvalidation. In general, TBAC module 110 may receive a request from adevice 114 to access a resource 145. TBAC module 110 may determine that,based on the geographic location of the device 114, a third party shouldauthenticate the device 114 before access may be granted. More detailswill be provided in the description of FIG. 63.

FIG. 63 illustrates a method 6300 of performing third party sessionvalidation. TBAC module 110 may perform method 6300. TBAC module 110 maybegin by storing a plurality of tokens 115 in step 6305. In step 6310,TBAC module 110 may determine that a device 114 has requested access toa resource 145. In particular embodiments, TBAC module 110 may receive aresource token 115 c indicating that device 114 has requested access toresource 145. TBAC module 110 may determine that device 114 hasrequested access to resource 145 in response to receiving resource token115 c.

In step 6315, TBAC module 110 may determine the geographic location ofthe device 114. In particular embodiments, TBAC module 110 may determinethe geographic location of the device 114 based on a subject token 115 kassociated with device 114. As an example and not by way of limitation,TBAC module 110 may determine that device 114 is located in a differentcountry than TBAC module 110 based on subject token 115 k. In particularembodiments, it may be desirable to determine the geographic location ofdevice 114. Devices 114 in different countries than TBAC module 110 mayutilize different communication and security standards than TBAC module110. By determining the geographic location of device 114, TBAC module110 may be able to process communications from device 114 effectively.Furthermore, by determining the geographic location of device 114, TBACmodule 110 may be able to employ the appropriate security processes.

In step 6320, TBAC module 110 may access session rules 4130. Inparticular embodiments, TBAC module 110 may use resource token 115 c andone or more of the plurality of tokens 115 stored in step 6305 to accesssession rules 4130. TBAC module 110 may use one or more of these tokens115 to determine at least one session rule 4130 applicable to resource145.

In particular embodiments, the at least one session rule 4130 mayspecify that access to resource 145 may be granted if a particular token115 is present. Moreover, the at least one session rule 4130 may specifyan entity from which the token 115 may be requested if the token 115 isnot present and if the geographic location of the device 114necessitates the request. As an example and not by way of limitation,the at least one session rule 4130 may specify that the token 115 shouldbe requested from an alternative service provider if the token 115 isnot present and if the device is located in a different country thanTBAC module 110. In particular embodiments, device 114 may not be ableto directly communicate with an element of system 100 if device 114 isin a different country than system 100 because of differences incommunication or security standards. Device 114 may communicate insteadwith alternative service provider, which can account for the differentcommunication and security standards to communicate with system 100.

In step 6325, TBAC module 110 may apply the at least one session rule4130 and determine whether the token 115 specified by the at least onesession rule 4130 is present. If the token 115 is present, TBAC module110 may continue to generate a session token 115 j in step 6345. Forexample, alternative service provider may have already provided thetoken 115.

If the token 115 is not present, TBAC module 110 may apply the at leastone session rule 4130 to determine whether the token 115 should berequested from an entity, such as an alternative service provider, dueto the geographic location of the device 114 in step 6330. If TBACmodule 110 determines that the token 115 should not be requested from anentity, TBAC module 110 may conclude by denying access to the resource145 in step 6355.

If TBAC module 110 determines that the token 115 should be requestedfrom an entity, TBAC module 110 may transmit a request for the token 115to the entity in step 6335. In step 6340, TBAC module 110 may receivethe token 115 in response to the request to the entity. As an exampleand not by way of limitation, the at least one session rule 4130 mayspecify that the token 115 should be requested from an alternativeservice provider if device 114 is in a different country than TBACmodule 110. TBAC module 110 may determine, based on subject token 115 k,that device 114 is in a different country. TBAC module 110 may alsodetermine that the token 115 specified by the at least one session rule4130 is not present. In response to these determinations, TBAC module110 may then request and receive the token 115 from the alternativeservice provider.

TBAC module 110 may then continue to generate a session token 115 j instep 6345. In particular embodiments, TBAC module 110 may generatesession token 115 j by combining the particular token 115 specified bythe at least one session rule 4130 with one or more of the tokens 115stored in step 6305. For example, TBAC module 110 may hash theparticular token 115 with a subject token 115 k stored in step 6305 togenerate session token 115 j. TBAC module 110 may then continue to step6350 to grant access to resource 145. As part of granting access toresource 145, TBAC module 110 may correlate session token 115 j with oneor more of the tokens 115 stored in step 6305.

In particular embodiments, a user 112 associated with device 114 maydecide to terminate access to resource 145. In step 6351, TBAC module110 may determine whether user 112 has requested to terminate access toresource 145. TBAC module 110 may receive a request from user 112 and/ordevice 114 to terminate access to resource 145. In particularembodiments, TBAC module 110 may receive a token 115 indicating thatuser 112 and/or device 114 have requested to terminate access. Inresponse, TBAC module 110 may terminate the session token in step 6352.In particular embodiments, TBAC module 110 may terminate session token115 j by deleting session token 115 j. In other embodiments, TBAC module110 may terminate session token 115 j by uncorrelating it with one ormore stored tokens 115. TBAC module 110 may also modify session token115 j to terminate session token 115 j. In step 6353, TBAC module 110may then terminate access to resource 145. In this manner, TBAC module110 may terminate access to resource 145 in response to a request fromuser 112 and/or device 114.

In particular embodiments, TBAC module 110 may determine that an eventaffecting the risk associated with granting access to resource 145 hasoccurred. In particular embodiments, TBAC module 110 may receive anevent token 115 x indicating the occurrence of an event affecting therisk associated with granting access to resource 145. For example, eventtoken 115 x may indicate that a security breach associated with thealternative service provider has occurred thus increasing the risk thatcommunications from device 114 have been compromised en route to system100. As another example, event token 115 x may indicate that device 114has moved to a location that cannot communicate with the alternativeservice provider and thus device 114 would be subject to differences incommunication and security standards. In response to receiving eventtoken 115 x, TBAC module 110 may determine that the event has occurred.

TBAC module 110 may then continue to step 6365 to determine whetheraccess to resource 145 should be terminated due to the event. Inparticular embodiments, the at least one session rule 4130 may specifywhether access should be terminated due to the event. TBAC module 110may apply the at least one session rule 4130 to determine whether toterminate access to resource 145. If access to resource 145 should notbe terminated, TBAC module 110 may continue granting access to resource145 in step 6366.

If access to resource 145 should be terminated, TBAC module 110 maycontinue to terminate the session token 115 j in step 6370. In step6375, TBAC module 110 may then terminate access to resource 145. In thismanner, TBAC module 110 may terminate access to resource 145 in responseto the occurrence of the event.

In step 6380, TBAC module 110 may determine whether access to resource145 should be reestablished. In particular embodiments, the at least onesession rule 4130 may specify that access to resource 145 may bereestablished if a particular token 115, such as a subject token 115 k,indicating that the event has been resolved is present. For example, theparticular token 115 may indicate that a security breach associated withthe alternative service provider has been resolved. As another example,the particular token 115 may indicate that device 114 has reestablishedcommunication with the alternative service provider. TBAC module 110 mayreceive the particular token 115 and apply the at least one session rule4130 to determine that access to resource 145 should be reestablished.TBAC module 110 may then continue to step 6345. However, if TBAC module110 determines that access should not be reestablished, TBAC module 110may conclude method 6300.

FIG. 64 illustrates a method of performing network session validation.In general, TBAC module 110 may receive requests for a resource 145.TBAC module 110 may grant access to the resource 145 if the resource 145is associated with a virtual private network. More details will beprovided in the description of FIG. 64.

FIG. 64 illustrates a method 6400 of performing network sessionvalidation. TBAC module 110 may perform method 6400. TBAC module 110 maybegin by storing subject token 115 k, network token 115 f, among othersas appropriate, in step 6405. In step 6410, TBAC module 110 maydetermine that access to a resource 145 has been requested. Inparticular embodiments, TBAC module 110 may receive a resource token 115c indicating that access to resource 145 has been requested. TBAC module110 may determine that access to the resource 145 has been requested inresponse to receiving resource token 115 c.

In step 6415, TBAC module 110 may access session rules 4130. Inparticular embodiments, TBAC module 110 may use resource token 115 c andone or more of the tokens 115 stored in step 6405 to access sessionrules 4130. TBAC module 110 may use one or more of these tokens 115 todetermine at least one session rule applicable to resource 145.

In particular embodiments, the at least one session rule 4130 mayspecify that access to resource 145 may be granted if a token 115indicating that the resource 145 is associated with a virtual privatenetwork of the link layer of the open systems interconnection model ispresent. A virtual private network associated with resource 145 mayprovide more secure access to resource 145. As an example and not by wayof limitation, a virtual private network associated with resource 145may make it more difficult for resource 145 to be hacked or spoofed. Avirtual private network also loosens geographical constraints onaccessing resource 145. For example, if resource 145 is associated witha virtual private network, it is not necessary for a device 114requesting access to resource 145 to be located on the same network 120as resource 145.

In particular embodiments, the token 115 may further indicate particularaspects of features associated with the virtual private network. Forexample, the token 115 may also indicate a connection strength andconnection speed associated with the virtual private network. The token115 may also indicate the physical and/or ip addresses of the networks120 forming the virtual private network. As another example, the token115 may also indicate the ip addresses of the device 114 and/or resource145. Although this disclosure describes the token 115 indicatingparticular aspects and/or features associated with the virtual privatenetwork, this disclosure contemplates the token 115 indicating anyappropriate aspects and/or features associated with the virtual privatenetwork.

In step 6420, TBAC module 110 may apply the at least one session rule4130 to determine whether the token 115 indicating that resource 145 isassociated with a virtual private network of the link layer is present.If TBAC module 110 determines that the token 115 is not present and,TBAC module 110 may request token 115 in step 6421. After requestingtoken 115, TBAC module 110 may receive a token 115 in response to therequest in step 6422. In step 6423, TBAC module 110 may determinewhether the received token 115 is the token 115 specified by the atleast one session rule 4130. If the received token 115 is not the token115 specified by the at least one session rule 4130, TBAC module 110 mayconclude by denying access to the resource 145 in step 6435. If thereceived token 115 is the token 115 specified by the at least onesession rule 4130, TBAC module 110 may continue to step 6424.

If TBAC module 110 determines that the token 115 is present or received,then TBAC module 110 may generate a session token 115 j in step 6425. Inparticular embodiments, TBAC module 110 may generate session token 115 jby combining the particular token 115 specified by the at least onesession rule 4130 with one or more of the tokens 115 stored in step6405. For example, TBAC module 110 may hash the particular token 115with a subject token 115 k stored in step 6405 to generate session token115 j. TBAC module 110 may then continue to step 6430 to grant access toresource 145. As part of granting access to resource 145, TBAC module110 may correlate session token 115 j with one or more of the tokens 115stored in step 6405.

In particular embodiments, a user 112 associated with device 114 maydecide to terminate access to resource 145. In step 6431, TBAC module110 may determine whether user 112 has requested to terminate access toresource 145. TBAC module 110 may receive a request from user 112 and/ordevice 114 to terminate access to resource 145. In particularembodiments, TBAC module 110 may receive a token 115 indicating thatuser 112 and/or device 114 have requested to terminate access. Inresponse, TBAC module 110 may terminate the session token in step 6432.In particular embodiments, TBAC module 110 may terminate session token115 j by deleting session token 115 j. In other embodiments, TBAC module110 may terminate session token 115 j by uncorrelating it with one ormore stored tokens 115. TBAC module 110 may also modify session token115 j to terminate session token 115 j. In step 6433, TBAC module 110may then terminate access to resource 145. In this manner, TBAC module110 may terminate access to resource 145 in response to a request fromuser 112 and/or device 114.

In particular embodiments, TBAC module 110 may determine that an eventaffecting the risk associated with granting access to resource 145 hasoccurred. In particular embodiments, TBAC module 110 may receive anevent token 115 x indicating the occurrence of an event affecting therisk associated with granting access to resource 145. For example, eventtoken 115 x may indicate that a connection associated with device 114has experienced a security breach, thus increasing the risk ofunauthorized or inappropriate communications over the virtual privatenetwork. As another example, event token 115 x may indicate thatresource 145 has been exposed to a virus thus increasing the risk thatdevice 114 may be exposed as a result of accessing resource 145. Inresponse to receiving event token 115 x, TBAC module 110 may determinethat the event has occurred.

TBAC module 110 may then continue to step 6445 to determine whetheraccess to resource 145 should be terminated due to the event. Inparticular embodiments, the at least one session rule 4130 may specifywhether access should be terminated due to the event. TBAC module 110may apply the at least one session rule 4130 to determine whether toterminate access to resource 145. If access to resource 145 should notbe terminated, TBAC module 110 may continue granting access to resource145 in step 6446.

If access to resource 145 should be terminated, TBAC module 110 maycontinue to terminate the session token 115 j in step 6450. In step6455, TBAC module 110 may then terminate access to resource 145. In thismanner, TBAC module 110 may terminate access to resource 145 in responseto the occurrence of the event.

In step 6460, TBAC module 110 may determine whether access to resource145 should be reestablished. In particular embodiments, the at least onesession rule 4130 may specify that access to resource 145 may bereestablished if a particular token 115, such as a subject token 115 k,indicating that the event has been resolved is present. For example, theparticular token 115 may indicate that a security breach associated withdevice 114 has been resolved. As another example, the particular token115 may indicate that a virus associated with resource 145 has beenremoved. TBAC module 110 may receive the particular token 115 and applythe at least one session rule 4130 to determine that access to resource145 should be reestablished. TBAC module 110 may then reestablish accessto the resource 145 by continuing to step 6425. However, if TBAC module110 determines that access should not be reestablished, TBAC module 110may conclude method 6400.

FIG. 65 illustrates a method of performing emergency session validation.In general, TBAC module 110 may limit or terminate access to a resource145 when an emergency has been declared. More details will be providedin the description of FIG. 65.

FIG. 65 illustrates a method 6500 of performing emergency sessionvalidation. TBAC module 110 may perform method 6500. TBAC module 110 maybegin by storing a subject token 115 k, network token 115 f, amongothers as appropriate, in step 6505. In step 6510, TBAC module 110 maydetermine that access to a resource 145 has been requested by a user112. In particular embodiments, TBAC module 110 may receive a resourcetoken 115 c indicating that user 112 has requested access to resource145. In response to receiving resource token 115 c, TBAC module 110 maydetermine that access to resource 145 has been requested.

TBAC module 110 may continue to step 6515 and access session rules 4130.In particular embodiments, TBAC module 110 may use one or more of thepreviously described tokens 115 to access session rules 4130, and todetermine at least one session rule 4130 applicable to resource 145. Theat least one session rule 4130 may specify that access to resource 145may be granted if a particular token 115 is present. In step 6520, TBACmodule 110 may determine whether the particular token 115 specified bythe at least one session rule 4130 is present.

If the particular token 115 is not present, TBAC module 110 may requestthe particular token 115 in step 6521. After making the request, TBACmodule 110 may receive a token 115 in step 6522. In step 6523, TBACmodule 110 may determine whether the received token 115 is theparticular token 115. If it is not, TBAC module 110 may deny access tothe resource 145 in step 6535. If the received token 115 is theparticular token 115, TBAC module 110 may continue to step 6525.

If the particular token 115 specified by the at least one session rule4130 is present or has been received, TBAC module 110 may generate asession token 115 j in step 6525. In particular embodiments, TBAC module110 may generate session token 115 j by combining the particular token115 specified by the at least one session rule 4130 with one or more ofthe tokens 115 stored in step 6505. For example, TBAC module 110 mayhash the particular token 115 with a subject token 115 k stored in step6505 to generate session token 115 j. TBAC module 110 may then continueto step 6530 to grant access to resource 145. As part of granting accessto resource 145, TBAC module 110 may correlate session token 115 j withone or more of the tokens 115 stored in step 6505.

In particular embodiments, the user 112 may decide to terminate accessto resource 145. In step 6531, TBAC module 110 may determine whetheruser 112 has requested to terminate access to resource 145. TBAC module110 may receive a request from user 112 and/or a device 114 associatedwith user 112 to terminate access to resource 145. In particularembodiments, TBAC module 110 may receive a token 115 indicating thatuser 112 and/or device 114 have requested to terminate access. Inresponse, TBAC module 110 may terminate the session token in step 6532.In particular embodiments, TBAC module 110 may terminate session token115 j by deleting session token 115 j. In other embodiments, TBAC module110 may terminate session token 115 j by uncorrelating it with one ormore stored tokens 115. TBAC module 110 may also modify session token115 j to terminate session token 115 j. In step 6533, TBAC module 110may then terminate access to resource 145. In this manner, TBAC module110 may terminate access to resource 145 in response to a request fromuser 112 and/or device 114.

In step 6540, TBAC module 110 may determine whether an emergency hasbeen declared. In particular embodiments, TBAC module 110 may receive anevent token 115 x indicating that an emergency has been declared. TBACmodule 110 may determine that an emergency has been declared in responseto receiving event token 115 x. In particular embodiments, the emergencymay be associated with user 112. For example, user 112 may be inphysical danger or may be injured. User 112 and/or device 114 maydeclare an emergency by performing a series of instructions. As anexample and not by way of limitation, user 112 may declare an emergencyby dialing an emergency number on device 114. As another example and notby way of limitation, user 112 may declare an emergency by pressing aparticular series of buttons on device 114. If TBAC module 110determines that an emergency has not been declared, TBAC module 110 maycontinue granting access to resource 145 in step 6541. If TBAC module110 determines that an emergency has been declared, TBAC module 110 maycontinue to step 6545.

In particular embodiments, the at least one session rule 4130 mayspecify that access to the resource 145 should be terminated when atoken 115, such as an event token 115 x indicating that an emergency isdeclared is present. As an example and not by way limitation, the atleast one session rule 4130 may specify that access to resource 145should be terminated when a token 115 indicating that user 112 hasdialed an emergency number on device 114 is present. In particularembodiments, it may be desirable to limit or restrict access to resource145 during an emergency to free up capacity and/or processing power inany appropriate element of system 100. Freeing up capacity and/orprocessing power in appropriate elements of system 100 may be necessaryto quickly and efficiently handle the emergency. For example, accessingresource 145 may consume significant amounts of capacity and/orprocessing power associated with resource provider 145. However, thatprocessing power and/or capacity may be necessary to handle theemergency promptly and efficiently. TBAC module 110 may determine thataccess to resource 145 may be terminated in order to free up theprocessing power and capacity associated with resource provider 145 sothat the emergency can be handled appropriately.

In step 6545, TBAC module 110 may apply the at least one session rule4130 to determine whether access to resource 145 should be terminateddue to the emergency. If TBAC module 110 determines that access toresource 145 should not be terminated due to the emergency, TBAC module110 may continue granting access to resource 145 in step 6541. Forexample, if TBAC module 110 determines that sufficient capacity and/orprocessing power is available to handle the emergency withoutterminating access to resource 145, TBAC module 110 may not terminateaccess to resource 145. As another example, if TBAC module 110determines that access to resource 145 is necessary to handle theemergency, TBAC module 110 may not terminate access to resource 145.

If TBAC module 110 determines that access should be terminated, thenTBAC module 110 may terminate the session token 115 j in step 6550. Instep 6455, TBAC module 110 may then terminate access to resource 145. Inthis manner, TBAC module 110 may terminate access to resource 145 inresponse to the emergency.

In step 6560, TBAC module 110 may determine whether the emergency hasbeen resolved. In particular embodiments, the at least one session rule4130 may specify that access to resource 145 may be reestablished if atoken 115 indicating that the emergency has been resolved is present.Once the emergency has been resolved, it may be desirable to usecapacity and processing power in particular elements of system 100 toaccess resource 145. In particular embodiments, TBAC module 110 mayreceive a token 115 indicating that the emergency has been resolved.TBAC module 110 may determine that the emergency has been resolved inresponse to receiving the token 115. If TBAC module 110 determines thatthe token 115 is not present and hence that the emergency has not beenresolved, TBAC module 110 may continue waiting for the emergency to beresolved in step 6561. If TBAC module 110 determines that the token 115is present and hence that the emergency has been resolved, TBAC module110 may reestablish access to the resource by continuing to step 6525.

FIG. 66 illustrates a method of performing subject recognition sessionvalidation. In general, TBAC module 110 may limit or terminate access toa resource 145 when a face or a voice other than that of an authorizeduser's is detected. More details will be provided in the description ofFIG. 66.

FIG. 66 illustrates a method 6600 of performing subject recognitionsession validation. TBAC module 110 may perform method 6600. TBAC module110 may begin by storing a subject token 115 k, network token 115 f,among others as appropriate, in step 6605. In step 6610, TBAC module 110may determine that access to a resource 145 has been requested by a user112. In particular embodiments, TBAC module 110 may receive a resourcetoken 115 c indicating that user 112 has requested access to resource145. In response to receiving resource token 115 c, TBAC module 110 maydetermine that access to resource 145 has been requested.

TBAC module 110 may continue to step 6615 and access session rules 4130.In particular embodiments, TBAC module 110 may use one or more of thepreviously described tokens 115 to access session rules 4130, and todetermine at least one session rule 4130 applicable to resource 145. Theat least one session rule 4130 may specify that access to resource 145may be granted if a particular token 115 is present. In step 6620, TBACmodule 110 may determine whether the particular token 115 specified bythe at least one session rule 4130 is present. If the particular token115 is not present, TBAC module 110 may request the particular token 115in step 6621. After making the request, TBAC module 110 may receive atoken 115 in step 6622. In step 6623, TBAC module 110 may determinewhether the received token is the particular token 115. If not, TBACmodule 110 may deny access to the resource 145 in step 6635.

If the particular token 115 specified by the at least one session rule4130 is present, TBAC module 110 may generate a session token 115 j instep 6625. In particular embodiments, TBAC module 110 may generatesession token 115 j by combining the particular token 115 specified bythe at least one session rule 4130 with one or more of the tokens 115stored in step 6605. For example, TBAC module 110 may hash theparticular token 115 with a subject token 115 k stored in step 6605 togenerate session token 115 j. TBAC module 110 may then continue to step6630 to grant access to resource 145. As part of granting access toresource 145, TBAC module 110 may correlate session token 115 j with oneor more of the tokens 115 stored in step 6605.

In particular embodiments, the user 112 may decide to terminate accessto resource 145. In step 6631, TBAC module 110 may determine whetheruser 112 has requested to terminate access to resource 145. TBAC module110 may receive a request from user 112 and/or a device 114 associatedwith user 112 to terminate access to resource 145. In particularembodiments, TBAC module 110 may receive a token 115 indicating thatuser 112 and/or device 114 have requested to terminate access. Inresponse, TBAC module 110 may terminate the session token in step 6632.In particular embodiments, TBAC module 110 may terminate session token115 j by deleting session token 115 j. In other embodiments, TBAC module110 may terminate session token 115 j by uncorrelating it with one ormore stored tokens 115. TBAC module 110 may also modify session token115 j to terminate session token 115 j. In step 6633, TBAC module 110may then terminate access to resource 145. In this manner, TBAC module110 may terminate access to resource 145 in response to a request fromuser 112 and/or device 114.

In particular embodiments, the at least one session rule 4130 mayspecify that access to the resource 145 may be terminated if a token115, such as an event token 115 x, indicating that a face or a voiceother than the user's has been detected is present. Faces and voices maybe detected through facial and voice recognition software. If a face ora voice other than the user's has been detected, it may indicate thatunauthorized access to resource 145 may be occurring. Terminating accessto resource 145 may stop the unauthorized access. Facial and voicerecognition software associated with device 114 may be utilized todetect faces and/or voices other than the user's.

In step 6640, TBAC module 110 may determine that a face and/or a voiceother than the user's has been detected. In particular embodiments, TBACmodule 110 may receive an event token 115 x indicating that a faceand/or a voice other than the user's has been detected. TBAC module 110may determine that a face and/or a voice other than the user's has beendetected in response to receiving event token 115 x. If TBAC module 110determines that event token 115 x is not present and hence that a faceand/or a voice other than the user's has not been detected, TBAC module110 may continue granting access to the resource 145 in step 6641.

If TBAC module 110 determines that event token 115 x is present andhence that a face or a voice other than the user's has been detected,TBAC module 110 may continue to determine whether access to the resource145 should be terminated due to the detection in step 6645. Inparticular embodiments, the at least one session rule 4130 may specifywhether access to resource 145 should be terminated when a face and/or avoice other than the user's has been detected. For example, the at leastone session rule 4130 may specify that access to a movie should not beterminated if a face and/or a voice other than the user's is detected,because movies are typically watched with others and there is nosecurity threat posed by other users 112 seeing the movie. As anotherexample, the at least one session rule 4130 may specify that access to achecking account should be terminated if a face and/or a voice otherthan the user's is detected, because the checking account may containprivate or confidential information regarding the user 112 that shouldnot be seen by others. TBAC module 110 may apply the at least onesession rule 4130 to determine whether to terminate access due to thedetection. If TBAC module 110 determines that access should not beterminated, TBAC module 110 may continue granting access to resource 145in step 6641.

If TBAC module 110 determines that access should be terminated, TBACmodule 110 may terminate the session token 115 j in step 6650. In step6655, TBAC module 110 may then terminate access to resource 145. In thismanner, TBAC module 110 may terminate access to resource 145 in responseto the detection of a face or voice other than the user's.

In particular embodiments, the at least one session rule 4130 mayspecify that access to the resource 145 may be reestablished undercertain conditions. As an example and not by way of limitation, the atleast one session rule 4130 may specify that access to the resource maybe reestablished if a form of authentication such as biometricauthentication is performed. By performing the form of authentication,user 112 would be notifying system 100 that user 112 is allowing theother person to potentially view information related to resource 145. Asanother example and not by way of limitation, the at least one sessionrule 4130 may specify that access to resource 145 may be reestablishedif a face or a voice other than the user's is no longer detected. Inparticular embodiments, TBAC module 110 may receive a token 115indicating that the form of authentication has been performed in step6656. In other embodiments, the token 115 may indicate that the faceand/or voice other than the user's is no longer detected.

In step 6660, TBAC module 110 may apply the at least one session rule4130 to determine whether access to resource 145 should bereestablished. In particular embodiments, the at least one session rule4130 may specify a condition under which access to resource 145 may bereestablished. For example, the at least one session rule 4130 mayspecify that access to resource 145 may be reestablished if a token 115indicating that a form of authentication has been performed is present.As another example, the at least one session rule 4130 may specify thataccess to resource 145 may be reestablished if a token 115 indicatingthat the face and/or voice other than the user's is no longer detectedis present. TBAC module 110 may determine that access to resource 145should be reestablished in response to receiving token 115. If TBACmodule 110 determines that access should be reestablished, TBAC module110 may continue to step 6625. If TBAC module 110 determines that accessshould not be reestablished, TBAC module 110 may conclude method 6600.

FIG. 67 illustrates a method of performing object security sessionvalidation. In general, TBAC module 110 may limit or terminate access toa resource 145 when an alarm triggers. More details will be provided inthe description of FIG. 67.

FIG. 67 illustrates a method 6700 of performing object security sessionvalidation. TBAC module 110 may perform method 6700. TBAC module 110 maybegin by storing a subject token 115 k, network token 115 f, amongothers as appropriate, in step 6705. In step 6710, TBAC module 110 maydetermine that access to a resource 145 has been requested by a device114. In particular embodiments, TBAC module 110 may receive a resourcetoken 115 c indicating that device 114 has requested access to resource145. In particular embodiments, device 114 may be an automobile, ahouse, a boat, and any other suitable device 114 that can be associatedwith an alarm. In response to receiving resource token 115 c, TBACmodule 110 may determine that access to resource 145 has been requested.

TBAC module 110 may continue to step 6715 and access session rules 4130.In particular embodiments, TBAC module 110 may use one or more of thepreviously described tokens 115 to access session rules 4130, and todetermine at least one session rule 4130 applicable to resource 145. Theat least one session rule 4130 may specify that access to resource 145may be granted if a particular token 115 is present. In step 6720, TBACmodule 110 may determine whether the particular token 115 specified bythe at least one session rule 4130 is present. If the particular token115 is not present, TBAC module 110 may request the particular token 115in step 6721. After the request has been made, TBAC module 110 mayreceive a token 115 in step 6722. In step 6723, TBAC module 110 maydetermine whether the received token 115 is the particular token 115. Ifit is, TBAC module may continue to step 6725. If not, TBAC module 110may deny access to the resource 145 in step 6735.

If the particular token 115 specified by the at least one session rule4130 is present or has been received, TBAC module 110 may generate asession token 115 j in step 6725. In particular embodiments, TBAC module110 may generate session token 115 j by combining the particular token115 specified by the at least one session rule 4130 with one or more ofthe tokens 115 stored in step 6705. For example, TBAC module 110 mayhash the particular token 115 with a subject token 115 k stored in step6705 to generate session token 115 j. TBAC module 110 may then continueto step 6730 to grant access to resource 145. As part of granting accessto resource 145, TBAC module 110 may correlate session token 115 j withone or more of the tokens 115 stored in step 6705.

In particular embodiments, the user 112 may decide to terminate accessto resource 145. In step 6731, TBAC module 110 may determine whetheruser 112 has requested to terminate access to resource 145. TBAC module110 may receive a request from user 112 and/or a device 114 associatedwith user 112 to terminate access to resource 145. In particularembodiments, TBAC module 110 may receive a token 115 indicating thatuser 112 and/or device 114 have requested to terminate access. Inresponse, TBAC module 110 may terminate the session token in step 6732.In particular embodiments, TBAC module 110 may terminate session token115 j by deleting session token 115 j. In other embodiments, TBAC module110 may terminate session token 115 j by uncorrelating it with one ormore stored tokens 115. TBAC module 110 may also modify session token115 j to terminate session token 115 j. In step 6733, TBAC module 110may then terminate access to resource 145. In this manner, TBAC module110 may terminate access to resource 145 in response to a request fromuser 112 and/or device 114.

In particular embodiments, the at least one session rule 4130 mayspecify that access to resource 145 may be terminated if a token 115,such as an event token 115 x, indicating an alarm associated with thedevice 145 has been triggered is present. In step 6740, TBAC module 110may determine whether the alarm associated with the device 114 hastriggered. In particular embodiments, TBAC module 110 may make thisdetermination based on a token 115 such as event token 115 x. If thealarm has not triggered, TBAC module 110 may continue granting access toresource 145 in step 6741. If the alarm has triggered, TBAC module 110may continue to step 6742. When an alarm associated with device 114triggers, it may indicate that unauthorized access of resource 145 isoccurring. Terminating access to resource 145 may prevent theunauthorized access from continuing. Examples of alarms associated withdevice 114 may include car alarms, home alarms, anti-theft alarms,and/or any other appropriate alarms. In particular embodiments, TBACmodule 110 may terminate access to resource 145 in response to the alarmtriggering to prevent unauthorized access to resource 145. For example,a car may be accessing information from an account associated with theowner of the car when the car's alarm triggers. The triggering may haveoccurred as a result of someone attempting to break into the car. Inresponse to the alarm triggering, TBAC module 110 may terminate thecar's access to the account to protect the driver's information.

In step 6742, TBAC module 110 may determine whether access to theresource 145 should be terminated. In particular embodiments, the atleast one session rule 4130 may specify that access to resource 145should be terminated if TBAC module 110 determines that an alarmassociated with device 114 has triggered. TBAC module 110 may apply theat least one session rule 4130 to determine whether access should beterminated due to the alarm associated with the device 114 beingtriggered. In particular embodiments, TBAC module 110 may determine thatthe alarm has triggered in response to receiving event token 115 x. IfTBAC module 110 determines that the event token 115 x is not present andhence that the alarm associated with device 114 has not triggered, TBACmodule 110 may continue granting access to resource 145 in step 6741.

If TBAC module 110 determines that event token 115 x is present andhence that the alarm associated with device 114 has triggered, TBACmodule 110 may terminate the session token 115 j in step 6745. In step6750, TBAC module 110 may then terminate access to resource 145. In thismanner, TBAC module 110 may terminate access to resource 145 in responseto the triggering of an alarm.

In particular embodiments, TBAC module 110 may receive a token 115indicating that the alarm has been resolved in step 6751. In particularembodiments, the at least one session rule 4130 may specify that accessto the resource 145 may be reestablished if the alarm has been resolved.Resolving the alarm may indicate that the intrusion has ceased and/orthat the alarm was determined to be a false alarm. In either case,unauthorized access to resource 145 may have ceased. Although thisdisclosure describes particular events resolving the alarm, thisdisclosure contemplates any appropriate events resolving the alarm. Forexample, a user 112 associated with device 114 may have entered apassword to silence the alarm.

In step 6755, TBAC module 110 may apply the at least one session rule4130 to determine whether access should be reestablished. In particularembodiments, TBAC module 110 may have received the token 115 indicatingthat the alarm has been resolved. TBAC module 110 may determine that thealarm has been resolved in response to receiving the token 115. If TBACmodule 110 determines that the token 115 is not present and hence thatthe alarm has not been resolved, TBAC module 110 may conclude method6700. If TBAC module 110 determines that the token 115 is present andhence that the alarm has been resolved, TBAC module 110 may continue tostep 6725.

FIG. 68 illustrates a method of performing object transaction sessionvalidation. In general, TBAC module 110 may perform session validationto process transactions. More details will be provided in thedescription of FIG. 68.

FIG. 68 illustrates a method 6800 of performing object transactionsession validation. TBAC module 110 may perform method 6800. TBAC module110 may begin by storing a subject token 115 k, network token 115 f,among others as appropriate, in step 6705. In step 6810 TBAC module 110may determine that a transaction associated with resource 145 has beenrequested. In particular embodiments, TBAC module 110 may receive aresource token 115 c indicating that a transaction associated withresource 145 has been requested. TBAC module 110 may determine thetransaction associated with resource 145 has been requested in responseto receiving resource token 115 c. As an example, TBAC module 110 maydetermine that a purchase transaction has been requested. TBAC module110 may further determine that a funds transfer has been requested.

In particular embodiments, the request for the transaction may be made adevice 114 such as a computer, laptop, mobile phone, automobile, house,boat, and any other appropriate device 114. The transaction may be anysuitable type of transaction including financial transactions, purchasetransactions, and data transfer transaction. As an example, a car mayuse an RFID tag to request a purchase transaction regarding a parkingspot. The car may park in the spot and the RFID tag may transmit apurchase transaction with the owner of the spot. Funds may then bedebited directly from an account associated with a user 112 of the car.As another example, a user 112 may wish to purchase an item from astore. The user 112 may pay for the item by requesting a purchasetransaction from the user's phone. Funds may then be debited directlyfrom an account associated with the user 112.

TBAC module 110 may continue to step 6815 and access session rules 4130.In particular embodiments, TBAC module 110 may use one or more of thepreviously described tokens 115 to access session rules 4130, and todetermine at least one session rule 4130 applicable to resource 145. Theat least one session rule 4130 may specify that access to resource 145may be granted if a particular token 115 is present. In step 6820, TBACmodule 110 may determine whether the particular token 115 specified bythe at least one session rule 4130 is present. If the particular token115 is not present, TBAC module 110 may request the particular token 115in step 6821. After the request has been made, TBAC module 110 mayreceive a token 115 in step 6822. In step 6823, TBAC module 110 maydetermine whether the received token 115 is the particular token 115. Ifit is, TBAC module 110 may continue to step 6825. If not, TBAC modulemay deny access to the resource 145 in step 6840.

If the particular token 115 specified by the at least one session rule4130 is present or has been received, TBAC module 110 may generate asession token 115 j in step 6825. In particular embodiments, TBAC module110 may generate session token 115 j by combining the particular token115 specified by the at least one session rule 4130 with one or more ofthe tokens 115 stored in step 6805. For example, TBAC module 110 mayhash the particular token 115 with a subject token 115 k stored in step6805 to generate session token 115 j. TBAC module 110 may then continueto step 6830 to grant access to resource 145. As part of granting accessto resource 145, TBAC module 110 may correlate session token 115 j withone or more of the tokens 115 stored in step 6805. After granting accessto resource 145, TBAC module 110 may allow the transaction associatedwith resource 145 in step 6835. In particular embodiments, after TBACmodule 110 allows the transaction, an element of system 100 may beginprocessing the transaction.

In particular embodiments, the user 112 may decide to terminate accessto resource 145. In step 6836, TBAC module 110 may determine whetheruser 112 has requested to terminate access to resource 145. TBAC module110 may receive a request from user 112 and/or a device 114 associatedwith user 112 to terminate access to resource 145. In particularembodiments, TBAC module 110 may receive a token 115 indicating thatuser 112 and/or device 114 have requested to terminate access. Inresponse, TBAC module 110 may terminate the session token in step 6837.

In particular embodiments, TBAC module 110 may terminate session token115 j by deleting session token 115 j. In other embodiments, TBAC module110 may terminate session token 115 j by uncorrelating it with one ormore stored tokens 115. TBAC module 110 may also modify session token115 j to terminate session token 115 j. In step 6838, TBAC module 110may then terminate access to resource 145. In this manner, TBAC module110 may terminate access to resource 145 in response to a request fromuser 112 and/or device 114.

In particular embodiments, TBAC module 110 may determine that an eventaffecting the risk associated with granting access to resource 145 hasoccurred. TBAC module 110 may receive an event token 115 x indicatingthe occurrence of an event affecting the risk associated with grantingaccess to resource 145. For example, even token 115 x may indicate thatdevice 114 has been exposed to potential unauthorized access. Examplesof unauthorized accesses may include a car getting broken into and acomputer getting hacked. As another example, event token 115 x mayindicate that resource 145 has been infected by a virus thus increasingthe risk that device 114 may be exposed to the virus if access toresource 145 continues. In response to receiving event token 115 x, TBACmodule 110 may determine that the event has occurred.

TBAC module 110 may then continue to step 6850 to determine whetheraccess to resource 145 should be terminated due to the event. Inparticular embodiments, the at least one session rule 4130 may specifywhether access should be terminated due to the event. For example, theat least one session rule 4130 may specify that access should beterminated if event token 115 x indicating that unauthorized access hasoccurred is present. As another example, the at least one session rule4130 may specify that access should be terminated if event token 115 xindicating that resource 145 has been infected by a virus is present.TBAC module 110 may apply the at least one session rule 4130 todetermine whether to terminate access to resource 145. If access toresource 145 should not be terminated, TBAC module 110 may continuegranting access to resource 145 in step 6851.

If access to resource 145 should be terminated, TBAC module 110 maycontinue to step 6855 to determine whether the transaction isincomplete. If the transaction is incomplete, TBAC module 110 maycomplete the transaction in step 6860. For example, a purchasetransaction may not be finished processing when TBAC module 110determines that access should be terminated. Before TBAC module 110terminates the session token 115 j, it may let the purchase transactionfinish processing. In particular embodiments, instead of completing thetransaction, TBAC module 110 may halt the transaction. For example,certain transactions like data transfer transactions may take longerthan other transactions like purchase transactions. TBAC module 110 maydetermine to halt these transactions rather than letting them completebefore terminating session token 115 j.

If there the transaction is complete, or after completing and/or haltingthe transaction, TBAC module 110 may continue to terminate the sessiontoken 115 j in step 6865. In step 6870, TBAC module 110 may thenterminate access to resource 145. In this manner, TBAC module 110 mayterminate access to resource 145 in response to the occurrence of theevent.

In step 6875, TBAC module 110 may determine whether access to resource145 should be reestablished. In particular embodiments, the at least onesession rule 4130 may specify that access to resource 145 may bereestablished if a particular token 115, such as a subject token 115 k,is present. The token 115 may indicate that the event has been resolved.For example, the token 115 may indicate that the unauthorized accessassociated with device 114 has ceased or that the virus associated withdevice 114 has been removed. TBAC module 110 may receive the particulartoken 115 and apply the at least one session rule 4130 to determine thataccess to resource 145 should be reestablished. In particularembodiments, if TBAC module 110 had halted the transaction, TBAC module110 may continue the transaction after access to resource 145 has beenreestablished. If access should be reestablished, TBAC module 110 maycontinue to step 6825. However, if TBAC module 110 determines thataccess should not be reestablished, TBAC module 110 may conclude method6800.

The descriptions of FIGS. 59-68 do not describe all the functionalityassociated with session validation described with respect to FIGS. 41and 42 in order to emphasize particular aspects of session validation.However, this disclosure contemplates the system 100 performing anynumber and combination of functions associated with session validationin conjunction with the functionality described with respect to FIGS.59-68.

FIGS. 43 and 44 illustrate the system 100 performing data tokenization.In general, a user 112 may request a resource 145 that requires dataexternal to the resource 145. The external data may be retrieved from anexternal source, and a data token 115 e representing the external datamay be generated. The process of determining whether to initiate thedata tokenization process is discussed further with respect to FIGS. 43and 44.

TBAC module 110 may detect a request for external data. In response,TBAC module 110 may determine whether to initiate the data tokenizationprocess. The determination may be based at least in part upon thecredentials of user 112 and/or device 114. After data tokenization isinitiated, TBAC module 110 may receive a data token 115 e representingthe data.

FIG. 43 illustrates the system 100 of FIG. 1 performing datatokenization. As provided in FIG. 43, TBAC module 110 may correlatesubject token 115 k, network token 115 f, and resource token 115 c,among others as appropriate with session token 115 j. TBAC module 110may have received subject token 115 k from a token provider such as, forexample, private token provider 128 and public token provider 126. Inparticular embodiments, subject token 115 k may be associated with user112 and/or device 114, and may indicate a form of authentication, suchas biometric authentication, that has been performed by user 112 and/ordevice 114. In particular embodiments, TBAC module 110 may have receivednetwork token 115 f from a token provider such as, for example, networkprovider 122. Network token 115 f may be associated with network 120 andmay indicate a form of encryption performed by network 120.

In particular embodiments, resource token 115 c may be associated withresource 145. Resource 145 may require data that is external to theresource. For example, resource 145 may contain data fields that requiredata from an external database in order to be filled in. Access toresource 145 may be meaningless if the external data is not provided.However, accessing the external data may require particular forms ofauthentication or encryption to be performed.

In particular embodiments, TBAC module 110 may facilitate the process ofproviding the external data through a process called data tokenization.To start, TBAC module 110 may receive a first data token 115 e 1indicating that external data has been requested. First data token 115 e1 may be provided by a token provider such as, for example, data tokenprovider 129. In particular embodiments, user 112 and/or device 114 mayrequest access to resource 145. In response to the request for resource145, a token provider such as data token provider 129 may generate firstdata token 115 e 1 and transmit first data token 115 e 1 to TBAC module110.

In particular embodiments, TBAC module 110 may store dataToken rules4330 in memory 134. In particular embodiments, TBAC module 110 may usefirst data token 115 e 1, subject token 115 k, network token 115 f,among others as appropriate to access dataToken rule 4330. In particularembodiments, TBAC module 110 may use these tokens 115 to determine atleast one dataToken rule 4330. As an example and not by way oflimitation, TBAC module 110 may use first data token 115 e 1, subjecttoken 115 k, and network token 115 f to determine at least one dataTokenrules 4330 applicable to the external data requested represented byfirst data token 115 e 1, to user 112 and/or device 114 represented bysubject token 115 k, and to network 120 represented by network token 115f. The at least one dataToken rule 4330 may specify the conditions underwhich the external data may be provided to user 112 and/or device 114over network 120. In particular embodiments, the at least one dataTokenrule 4330 may specify that external data may be provided if particularforms of authentication and/or particular forms of encryption have beenperformed. As an example and not by way of limitation, dataToken rule4330 may specify that external data may be provided if user 112 and/ordevice 114 perform biometric authentication. As another example and notby way of limitation, dataToken rule 4330 may specify that external datamay be provided if device 114 authenticates itself with a propersubscriber identity module. As another example and not by way oflimitation, dataToken rule 4330 may specify that external data may beprovided if network 120 performs a particular form of encryption such asfor example, Wi-Fi Protected Access. Subject token 115 k and networktoken 115 f may indicate the forms of authentication and encryption thathave been performed. Although this disclosure describes dataToken rule4330 specifying particular forms of authentication and/or encryption,this disclosure contemplates dataToken rule 4330 specifying anyappropriate forms of authentication and/or encryption.

If the conditions specified by dataToken rule 4330 have been met, TBACmodule 110 may generate a message 4310. In particular embodiments,message 4310 may indicate that a second data token 115 e 2 should begenerated. Second data token 115 e 2 may represent the external dataitself. Second data token 115 e 2 may also represent particularattributes of the data, such as for example, the size of the data and aform of encryption performed on the data. In particular embodiments,TBAC module 110 may transmit message 4310 to a token provider such asdata token provider 129. In response, TBAC module 110 may receive seconddata token 115 e 2 from a token provider such as data token provider129. In particular embodiments, TBAC module 110 may generate second datatoken 115 e 2 after the determination that the conditions specified bydataToken rule 4330 have been met. TBAC module 110 may send second datatoken 115 e 2 to resource provider 140 for resource 145.

The illustration of system 100 in FIG. 43 does not specificallyillustrate all the elements from the illustration of system 100 of FIG.1 so that particular aspects of system 100 may be emphasized. However,system 100 of FIG. 43 includes all the elements of system 100 in FIG. 1.

FIG. 44 is a flowchart illustrating a method 4400 of data tokenization.TBAC module 110 may perform method 4400. TBAC module 110 may begin byreceiving a subject token 115 k in step 4410. Subject token 115 k mayindicate a form of authentication performed by user 112 and/or device114. TBAC module 110 may continue by receiving a network token 115 f instep 4420. Network token 115 f may indicate a form of encryptionperformed by network 120. TBAC module 110 may then receive a first datatoken 115 e 1 in step 4430. First data token 115 e 1 may indicate thatexternal data has been requested.

In response to receiving first data token 115 e 1, TBAC module 110 mayaccess dataToken rules 4330 in step 4433. In particular embodiments,TBAC module 110 may use subject token 115 k, network token 115 f, andfirst data token 115 e 1 to determine at least one dataToken rule 4330applicable to the external data, user 112 and/or device 114, and network120 represented by first data token 115 e 1, subject token 115 k, andnetwork token 115 f respectively. TBAC module 110 may then use the atleast one dataToken rule 4330 to determine necessary forms ofauthentication and encryption in step 4435. In particular embodiments,external data may not be provided unless the necessary forms ofauthentication and encryption have been performed. In step 4440, TBACmodule 110 may determine if a necessary form of authentication has beenperformed. In particular embodiments, this determination may be based onsubject token 115 k. If the necessary form of authentication has notbeen performed, TBAC module 110 may deny the generation of a second datatoken in step 4490. If the necessary form of authentication has beenperformed, TBAC module 110 may continue to determine if a necessary formof encryption has been performed in step 4450. In particularembodiments, this determination may be based on network token 115 f. Ifthe necessary form of encryption has not been performed, TBAC module 110may deny the generation of a second data token in step 4490.

If the necessary forms of authentication and encryption have beenperformed, TBAC module 110 may continue by generating a message 4310indicating that a second data token 115 e 2 should be generated in step4460. TBAC module 110 may continue by transmitting the message 4310 instep 4470. In particular embodiments, TBAC module 110 may transmit themessage to a token provider such as data token provider 129. Inresponse, the token provider may generate second data token 115 e 2.TBAC module 110 may receive the second data token 115 e 2 in step 4480.In other embodiments, TBAC module 110 may generate second data token 115e 2. In particular embodiments, second data token 115 e 2 may representthe external data.

FIGS. 45 and 46 illustrate system 100 handling transaction tokens. Ingeneral, when user 112 and/or device 114 requests a transaction to beperformed, an associated transaction token may be generated. Using thistransaction token, user 112 and/or device 114 may be authenticated, andauthorization to perform the transaction may be determined. This processof handling the transaction token is discussed further with respect toFIGS. 45 and 46.

TBAC module 110 may receive a transaction token indicating a requestedtransaction. A transaction may include any transfer of financialinformation from one party to another. Examples of transactions mayinclude purchases, payments, and fund transfers. In response toreceiving the transaction token, TBAC module 110 may determine whether auser and/or a device associated with the transaction have beenauthenticated. TBAC module 110 may further determine whether an entityassociated with the user and/or the device has authorized the userand/or the device to perform the transaction. TBAC module 110 may thenallow or deny the transaction as appropriate.

FIG. 45 illustrates the system 100 of FIG. 1 handling transaction tokens115 v. As provided by FIG. 45, TBAC module 110 may have correlated firstsubject token 115 k 1, resource token 115 c, network token 115 f, amongothers as appropriate to session token 115 j. First subject token 115 k1 may be associated with a user 112, a device 114, and/or an entity4500. Furthermore, user 112 and device 114 may be associated with entity4500. In particular embodiments, user 112 may use device 114 to requesta transaction 4540. As an example and not by way of limitation, entity4500 may be a department store and a manager at the department store maybe using a computer associated with the department store to send afinancial payment to a supplier.

In particular embodiments, TBAC module 110 may receive a transactiontoken 115 v associated with the transaction 4540. Transaction token 115v may indicate entity 4500 associated with the transaction 4540. TBACmodule 110 may use transaction token 115 v to determine first subjecttoken 115 k 1 associated with the user 112 and device 114 that requestedtransaction 4540. TBAC module 110 may use the transaction token 115 v,first subject token 115 k 1, resource token 115 c, network token 115 f,among others as appropriate to access transaction rules 4530 stored inmemory 134. In particular embodiments, transaction rules 4530 mayspecify whether there is an unacceptable risk that transaction 4540 isfraudulent. As an example and not by way of limitation, transactionrules 4530 may specify that transaction 4540 has an unacceptable risk ofbeing fraudulent if transaction 4540 involves an amount of money greaterthan an amount specified by transaction rules 4530. As another exampleand not by way of limitation, transaction rules 4530 may specify thattransaction 4540 has an unacceptable risk of being fraudulent if thefrequency of fraudulent transactions associated with user 112 and/ordevice 114 is too high. In particular embodiments, TBAC module 110 maydeny transaction 4540 if the risk that transaction 4540 is fraudulent istoo high.

In particular embodiments, the risk that transaction 4540 is fraudulentmay be reduced if the user 112 and/or the device 114 perform particularforms of authentication specified by transaction rules 4530. As anexample and not by way of limitation, the risk that transaction 4540 isfraudulent may be reduced if user 112 and/or device 114 performbiometric authentication. In particular embodiments, TBAC module 110 mayrequest user 112 and/or device 114 to perform a form of authentication.In response to performing the form of authentication, TBAC module 110may receive credentials 4520. In particular embodiments, device 114 mayprovide TBAC module 110 with credentials 4520. TBAC module 110 may alsoreceive second subject token 115 k 2 associated with credentials 4520.Second subject token 115 k 2 may further indicate that the form ofauthentication requested by TBAC module 110 has been performed. TBACmodule 110 may receive second subject token 115 k 2 from a tokenprovider such as, for example, private token provider 128 and publictoken provider 126. Based at least in part upon second subject token 115k 2, TBAC module 110 may determine that user 112 and device 114 areassociated with entity 4500.

In particular embodiments, the risk that transaction 4540 is fraudulentmay be further reduced if TBAC module 110 determines that entity 4500has authorized user 112 and device 114 to perform the transaction 4540.TBAC module 110 may determine that user 112 and/or device 114 areauthorized to perform the transaction 4540 based on second subject token115 k 2. As an example and not by way of limitation, based on secondsubject token 115 k 2, TBAC module 110 may determine that user 112 anddevice 114 are associated with a department store and that thedepartment store has authorized user 112 to use device 114 to pay asupplier a large sum of money on behalf of the department store. Inresponse to this determination, TBAC module 110 may determine that therisk that transaction 4540 is fraudulent has been reduced. In particularembodiments, TBAC module 110 may allow transaction 4540 when the riskthat transaction 4540 is fraudulent has reduced to an acceptable levelbased on transaction rule 4530.

In particular embodiments, user 112 and/or device 114 may request atransaction without being associated with entity 4500. As an example andnot by way of limitation, user 112 may be using his mobile phone topurchase an item. When user requests the purchase, transaction token 115v may be generated and transmitted to TBAC module 110. Based at least inpart upon transaction token 115 v, TBAC module 110 may determine atleast one transaction rule 4530 applicable to the user 112 and histransaction 4540. TBAC module 110 may then determine, based on the rule,whether the risk that the purchase request is fraudulent is unacceptablyhigh. If it is, TBAC module 110 may deny the purchase. Otherwise, TBACmodule 110 may allow the purchase.

The illustration of system 100 in FIG. 45 does not specificallyillustrate all the elements from the illustration of system 100 in FIG.1 so that particular aspects of system 100 may be emphasized. However,system 100 of FIG. 45 includes all the elements of system 100 in FIG. 1.

FIG. 46 is a flowchart illustrating a method 4600 of handlingtransaction tokens 115 v. TBAC module 110 may perform method 4600. TBACmodule 110 may begin by detecting a request for a transaction 4540 instep 4610. In particular embodiments, TBAC module 110 may receive atransaction token 115 v associated with the request for the transaction4540. Transaction token 115 v may be generated in response to user 112and/or device 114 requesting transaction 4540. In step 4620 TBAC module110 may access transaction rules 4530. In particular embodiments, TBACmodule 110 may use transaction token 115 v to access transaction rules4530. Transaction rules 4530 may specify whether there is anunacceptable risk that transaction 4540 is unacceptable. In step 4630TBAC module 110 may determine if there is a risk that the transaction4540 is fraudulent based upon a particular transaction rule 4530.

In particular embodiments, if there is no risk that the transaction 4540is fraudulent or if the risk is acceptably low, TBAC module 110 mayallow the transaction 4540 in step 4670. However, if the risk isunacceptably high, TBAC module 110 may request a form of authenticationbe performed in step 4640. In step 4650 TBAC module 110 may determine ifthe form of authentication has been performed. In particularembodiments, TBAC module 110 may make this determination based on areceived second subject token 115 k 2 associated with the form ofauthentication being performed. If the form of authentication has notbeen performed, TBAC module 110 may deny the transaction 4540 in step4680. If the form of authentication has been performed, TBAC module 110may continue to step 4660 to determine if the transaction 4540 isauthorized. In particular embodiments, the form of authentication mayidentify a user 112 and a device 114 associated with an entity 4500.However, the entity 4500 may not have authorized user 112 and device 114to perform the transaction 4540. In that case, TBAC module 110 may denythe transaction in step 4680. However, if user 112 and device 114 areauthorized to perform the transaction 4540, then TBAC module 110 mayallow the transaction in step 4670.

FIGS. 47-54 illustrate the system 100 of FIG. 1 making access decisionsbased on various access values such as assurance level, trust level,integrity level, and risk level. These access values represent variousaspects of user 112, device 114, resource 145, and/or network 120 thataffect the security risks associated with granting access to resource145. The process of making access decisions using these access valueswill be discussed further with respect to FIGS. 47-54.

TBAC module 110 may make access decisions using various access valuessuch as assurance level, trust level, and integrity level. TBAC module110 may determine these values based on token based rules, subjecttokens 115 k, resource tokens 115 c, network tokens 115 f, and any otherappropriate tokens 115. TBAC module 110 may make access decisions usingthese access values whether alone or in combination with each other.

Assurance levels are the access values associated with users 112 and/ordevices 114. Assurance levels may represent a measure of the riskassociated with granting user 112 and/or device 114 access to resource145. Particular forms of authentication and particular security featuresassociated with user 112 and/or device 114 may influence this risk andtherefore, the access level. The process of determining and using accesslevels to make access decisions is discussed with respect to FIGS. 47and 48.

Trust levels are the access values associated with resource 145. Trustlevels may represent a measure of the risk associated with grantingaccess to resource 145. Particular forms of authentication andparticular security features associated with resource 145 may influencethis risk and therefore, the trust level. The process of determining andusing trust levels to make access decisions is discussed with respect toFIGS. 49 and 50.

Integrity levels are the access values associated with network 120.Integrity levels may represent a measure of the risk associated withgranting access to resource 145 over network 120. Particular forms ofencryption and particular security features associated with network 120may influence this risk and therefore, the integrity level. The processof determining and using integrity levels to make access decisions isdiscussed with respect to FIGS. 51 and 52.

Risk levels are the access values associated with the overall riskassociated with granting user 112 and/or device 114 access resource 145over network 120. Risk levels may be derived from assurance levels,trust levels, and/or integrity levels. Therefore, any changes, features,forms of authentication, forms of encryption, or any aspect associatedwith user 112, device 114, resource 145, and network 120 may influencethe risk levels. The process of determining and using risk levels tomake access decisions is discussed with respect to FIGS. 53 and 54.

FIGS. 47-48 illustrate the system 100 of FIG. 1 determining assurancelevels. Assurance levels may correspond to the risk that user 112 and/ordevice 114 have been incorrectly identified. TBAC module 110 may use theassurance level to make an access decision in order to avoid grantingaccess to an inappropriate user 112 and/or device 114. The process ofdetermining and making access decisions based on assurance levels isdiscussed further with respect to FIGS. 47-48.

FIG. 47 illustrates the system 100 of FIG. 1 determining assurancelevels 4750. As provided by FIG. 47, TBAC module 110 may correlatesubject token 115 k, network token 115 f, among others as appropriatewith session token 115 j. TBAC module 110 may receive resource token 115c associated with resource 145. In particular embodiments, resourcetoken 115 c may indicate that user 112 and/or device 114 have requestedaccess to resource 145. To determine whether to grant user 112 and/ordevice 114 access to resource 145, TBAC module 110 may determine anassurance level 4750 and compare assurance level 4750 with a requiredassurance level 4740.

To determine assurance level 4750, TBAC module 110 may utilize assurancerules 4730 stored in memory 134. In particular embodiments, TBAC module110 may use resource token 115 c, subject token 115 k, among others asappropriate to access assurance rules 4730. Based on one or more ofthese tokens 115, TBAC module 110 may determine at least one assurancerule 4730 applicable to resource 145, user 112, and/or device 114. Theat least one assurance rule 4730 may specify a required assurance level4740 associated with resource 145. In particular embodiments, assurancelevel 4750 may be compared with required assurance level 4740 todetermine if access to resource 145 may be granted. The at least oneassurance rule 4730 may further specify how to determine assurance level4750. In particular embodiments, the at least one assurance rule 4730may associate different assurance levels 4750 with different numbers andcombinations of subject tokens 115 k. TBAC module 110 may examine thesubject tokens 115 k associated with user 112 and device 114 and thendetermine if any of the combinations of subject tokens 115 k specifiedby assurance rules 4730 are present. Based on the combinations ofsubject tokens 115 k that are present, TBAC module 110 may apply the atleast one assurance rule 4730 and determine an assurance level 4750associated with user 112 and device 114.

In particular embodiments, TBAC module 110 may determine whether togrant or deny access to resource 145 associated with resource token 115c by comparing assurance level 4750 with required assurance level 4740.As an example and not by way of limitation, TBAC module 110 may denyaccess to resource 145 if assurance level 4750 is less than requiredassurance level 4740. Although this disclosure describes TBAC module 110denying access to resource 145 if assurance level 4750 is less thanrequired assurance level 4740, one of ordinary skill in the art wouldunderstand that TBAC module 110 may be modified to deny access toresource 145 if assurance level 4750 is greater than or equal torequired assurance level 4740. Furthermore, the values of assurancelevel 4750 and required assurance level 4740 may be alphanumeric,symbolic, or any appropriate values recognized and comparable by TBACmodule 110.

In particular embodiments, TBAC module 110 may redetermine assurancelevel 4750 when a change to subject tokens 115 k occurs. TBAC module 110may receive an updated subject token 115 k 5 from a token provider suchas a private token provider 128 or public token provider 126. Based onupdated subject token 115 k 5, TBAC module 110 may update assurancelevel 4750. After updating assurance level 4750, TBAC module 110 maydetermine whether to grant or deny access to resource 145. As an exampleand not by way of limitation, updated subject token 115 k 5 may indicatethat user 112 and/or device 114 have performed a form of authentication,such as biometric authentication. Updated subject token 115 k 5 maytherefore reduce the risk that user 112 and/or device 114 have beenincorrectly identified. TBAC module 110 may update assurance level 4750accordingly, and then compare assurance level 4750 to required assurancelevel 4740. TBAC module 110 may determine, based at least in part uponthe at least one assurance rule 4730, that assurance level 4750 issufficient to grant access to resource 145 after the update. TBAC module110 may then grant access to resource 145.

In particular embodiments, the assurance level 4750 may correspond tothe risk that user 112 and/or device 114 have been incorrectlyidentified. An incorrect identification may lead TBAC module 110 toreceive subject tokens 115 k indicating a different user 112 and/ordevice 114 have requested access to resource 145. An incorrectidentification may also result from a different user 112 stealing anaccount associated with user 112. Various subject tokens 115 k mayreduce this risk. As an example and not by way of limitation, a subjecttoken 115 k may indicate that user 112 and/or device 114 have performedbiometric authentication, thus increasing the chances that user 112and/or device 114 have been correctly identified. Likewise, a subjecttoken 115 k that indicates that an account associated with user 112 hasnot been compromised by a hacker or a thief may also increase the chancethat user 112 and/or device 114 have been correctly identified.Similarly, subject tokens 115 k associated with identification devicesof device 114 may reduce the risk that device 114 has been incorrectlyidentified. As an example and not by way of limitation, subject tokens115 k associated with a trusted platform module security device of thedevice 114 and/or a subscriber identity module of device 114. Thesedevices may enable device 114 to provide more reliable forms ofauthentication for various elements of system 100.

Likewise, subject tokens 115 k associated with security features ofdevice 114 may further reduce the risk that device 114 has beenincorrectly identified. As an example and not by way of limitation,subject tokens 115 k that indicate that device 114 is not affected by avirus. This subject token 115 k may therefore make authenticationperformed by the device 114 to be more reliable because any credentialspassed by the device will not have been influenced by a virus on thedevice 114. Therefore, this subject token 115 k may reduce the risk thatdevice 114 has been incorrectly identified. As another example and notby way of limitation, subject token 115 k may indicate that device 114is associated with a firewall. The firewall may make authentication sentfrom device 114 to be more reliable because the firewall may filter outcorrupted information sent from device 114. Therefore, this subjecttoken 115 k may reduce the risk that device 114 has been incorrectlyidentified. As yet another example and not by way of limitation, subjecttoken 115 k may indicate that device 114 is operable to performbiometric authentication. In particular environments, a biometricauthentication enabled device may provide more reliable authenticationthan devices 114 that cannot perform biometric authentication.Therefore, this subject token 115 k may reduce the risk that user 112and/or device 114 have been incorrectly identified. Although thisdisclosure describes subject tokens 115 k indicating particular actionsor features associated with user 112 and/or device 114 that reduce therisk that user 112 and/or device 114 have been incorrectly identified,this disclosure contemplates subject tokens 115 k or any combination ofsubject tokens 115 k indicating any appropriate feature or actionassociated with user 112 and/or device 114 that reduces the risk thatuser 112 and/or device 114 have been incorrectly identified.

In particular embodiments, assurance level 4750 may correspond with thenumber of subject tokens 115 k present in a particular combination ofsubject tokens 115 k. As an example and not by way of limitation, afirst combination of subject tokens 115 k may include a subject token115 k that indicates that the user 112 and/or device 114 have performedbiometric authentication and a subject token 115 k that indicates thatdevice 114 has a firewall. That first combination may be associated witha better assurance level 4750 than a second combination of subjecttokens 115 k that only includes a subject token 115 k that indicatesthat device 114 is not infected by a virus. As another example and notby way of limitation, a first combination of subject tokens 115 k thatincludes five subject tokens 115 k may be associated with a betterassurance level 4750 than a second combination of subject tokens 115 kthat only includes two subject tokens 115 k. In this manner, TBAC module110 may abstract into an assurance level 4750 various actions andfeatures of user 112 and/or device 114 that reduce the risk that user112 and/or device 114 have been incorrectly identified.

The illustration of system 100 in FIG. 47 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 47 includes all the elements of system 100in FIG. 1.

FIG. 48 is a flowchart illustrating a method 4800 of determiningassurance levels 4750. TBAC module 110 may perform method 4800. Asprovided by FIG. 48, TBAC module 110 may begin by receiving a resourcetoken 115 c indicating access to a resource 145 has been requested instep 4810. TBAC module 110 may then access assurance rules 4730 in step4820. In particular embodiments, TBAC module 110 may use resource token115 c and subject tokens 115 k, among others as appropriate, to accessassurance rules 4730. TBAC module 110 may use these tokens 115 todetermine at least one assurance rule 4730 applicable to resource 145.In particular embodiments, the at least one assurance rule 4730 mayspecify a required assurance level 4750 necessary to grant access toresource 145 and may associate assurance levels 4750 with particularcombinations of subject tokens 115 k.

In step 4830, TBAC module 110 may determine a required assurance level4740 necessary to grant access to the resource 145. In particularembodiments, the at least one assurance rule 4730 may specify therequired assurance level 4740. In step 4840, TBAC module 110 maydetermine an assurance level 4750. In particular embodiments, theassurance level 4750 may correspond with particular combinations ofsubject tokens 115 k specified by the at least one assurance rule 4730.As an example and not by way of limitation, the at least one assurancerule 4730 may associate a first combination of subject tokens 115 k witha particular assurance level 4750, and may associate a secondcombination of subject tokens 115 k with a different assurance level4750 because the first and second combinations of subject tokens 115 kmay include different subject tokens 115 k.

TBAC module 110 may compare the assurance level 4750 with the requiredassurance level 4740 in step 4850. In step 4860, TBAC module 110 maydetermine whether the assurance level 4750 is sufficient to grant accessto resource 145. As an example and not by way of limitation, TBAC module110 may grant access to resource 145 in step 4870 if assurance level4750 is greater than or equal to the required assurance level 4740. IfTBAC module 110 determines that assurance level 4750 is insufficient togrant access to resource 145, TBAC module 110 may deny access toresource 145 in step 4865. TBAC module 110 may then receive an updatedsubject token 115 k 5 in step 4880. Updated subject token 115 k 5 mayindicate an action or a feature associated with user 112 and/or device114 that reduces the risk that user 112 and/or device 114 have beenincorrectly identified. After receiving updated subject token 115 k 5,TBAC module 110 may return to step 4840 to determine the assurance level4750 based on the updated subject token 115 k 5.

FIGS. 49-50 illustrate the system 100 of FIG. 1 determining trustlevels. Trust levels may correspond to the risk that resource 145 isincorrect or has been compromised. TBAC module 110 may use the trustlevel to make an access decision in order to avoid granting access to anunrequested resource 145 or to a resource 145 that may corrupt device114. The process of determining and making access decisions based ontrust levels is discussed further with respect to FIGS. 49-50.

FIG. 49 illustrates the system 100 of FIG. 1 determining trust levels4950. As provided by FIG. 49, TBAC module 110 may correlate resourcetoken 115 c, network token 115 f, subject token 115 k among others asappropriate with session token 115 j. TBAC module 110 may receive firstresource token 115 c 1 associated with resource 145. In particularembodiments, first resource token 115 c 1 may indicate that user 112and/or device 114 have requested access to resource 145. To determinewhether to grant user 112 and/or device 114 access to resource 145, TBACmodule 110 may determine a trust level 4950, and compare trust level4950 with a required trust level 4940.

To determine trust level 4950, TBAC module 110 may utilize trust rules4930 stored in memory 134. In particular embodiments, TBAC module 110may use resource token 115 c and first resource token 115 c, subjecttoken 115 k, among others as appropriate to access trust rules 4930.Based on these tokens 115, TBAC module 110 may determine at least onetrust rule 4930 applicable to resource 145, user 112, and/or device 114.The at least one trust rule 4930 may specify a required trust level 4940associated with resource 145. In particular embodiments, trust level4950 may be compared with required trust level 4940 to determine ifaccess to resource 145 may be granted. The at least one trust rule 4930may further specify how to determine trust level 4950. In particularembodiments, the at least one trust rule 4930 may associate differenttrust levels 4950 with different numbers and combinations of resourcetokens 115 c. TBAC module 110 may examine the resource tokens 115 cassociated with resource 145 and then determine if any of thecombinations of resource tokens 115 c specified by trust rules 4930 arepresent. Based on the combinations of resource tokens 115 c that arepresent, TBAC module 110 may apply the at least one trust rule 4930 anddetermine a trust level 4950 associated with resource 145.

In particular embodiments, TBAC module 110 may determine whether togrant or deny access to resource 145 associated with resource token 115c by comparing trust level 4950 with required trust level 4940. As anexample and not by way of limitation, TBAC module 110 may deny access toresource 145 if trust level 4950 is less than required trust level 4940.Although this disclosure describes TBAC module 110 denying access toresource 145 if trust level 4950 is less than required trust level 4940,one of ordinary skill in the art would understand that TBAC module 110may be modified to deny access to resource 145 if trust level 4950 isgreater than or equal to required trust level 4940. Furthermore, thevalues of trust level 4950 and required trust level 4940 may bealphanumeric, symbolic, or any appropriate values recognized andcomparable by TBAC module 110.

In particular embodiments, TBAC module 110 may redetermine trust level4950 when a change to resource tokens 115 c occurs. TBAC module 110 mayreceive an updated resource token 115 c 3. Based on updated resourcetoken 115 c 3, TBAC module 110 may update trust level 4950. Afterupdating trust level 4950, TBAC module 110 may determine whether togrant or deny access to resource 145. As an example and not by way oflimitation, updated resource token 115 c 3 may indicate that a form ofauthentication associated with the resource 145, such as Kerberosauthentication, has been performed. Updated resource token 115 c 3 maytherefore reduce the risk that resource 145 is not the resource 145requested by user 112 and/or device 114. As another example and not byway of limitation, updated resource token 115 c 3 may indicate that asecurity feature associated with resource 145, such as firewall or anantivirus, has not been compromised. Updated resource token 115 c 3 maytherefore reduce the risk of resource 145 corrupting device 114. Basedat least in part upon updated resource token 115 c 3 and the at leastone trust rule 4930, TBAC module 110 may update trust level 4950accordingly, and then compare trust level 4950 to required trust level4940. TBAC module 110 may determine, based at least in part upon the atleast one trust rule 4930, that trust level 4950 is sufficient to grantaccess to resource 145 after the update. TBAC module 110 may then grantaccess to resource 145.

In particular embodiments, the trust level 4950 may correspond to therisk that resource 145 is not the resource 145 that user 112 and/ordevice 114 requested. Various resource tokens 115 c may reduce thisrisk. As an example and not by way of limitation, a resource token 115 cmay indicate that a form of authentication associated with the resource,such as Kerberos authentication, has been performed. As another exampleand not by way of limitation, a resource token 115 c may indicate thatresource 145 is associated with a digital certificate. As yet anotherexample, resource token 115 c may indicate that the resource isassociated with a trusted platform module security device or a virtualprivate network. Kerberos authentication, digital certificates, trustedplatform module security devices, and virtual private networks may makeauthentication provided by resource 145 more reliable and trustworthy.In this manner, these resource tokens 115 c reduce the risk thatresource 145 is not the resource requested by user 112 and/or device114. TBAC module 110 may use these resource tokens 145 c in determiningtrust level 4950.

In particular embodiments, the trust level 4950 may correspond to therisk that resource 145 is compromised or that security associated withresource 145 is compromised such that accessing resource 145 may corruptdevice 114. Various resource tokens 115 c may reduce this risk. As anexample and not by way of limitation, a resource token 115 c mayindicate that the resource 145 is associated with a firewall or anantivirus. As another example and not by way of limitation, resourcetoken 15 c may indicate that the resource 145 has not been infected by avirus. If resource 145 has been infected by a virus, then grantingaccess to resource 145 may lead device 114 to also be infected oraffected by the virus. In this manner, these resource tokens 115 creduce the risk that accessing resource 145 may corrupt device 114. TBACmodule 110 may use these resource tokens 145 c in determining trustlevel 4950. Although this disclosure describes resource tokens 115 cindicating particular actions or features associated with resource 145that reduce the risk that resource 145 is incorrect or compromised, thisdisclosure contemplates resource tokens 115 c or any combination ofresource tokens 115 c indicating any appropriate feature or actionassociated with resource 145 that reduce the risk that resource 145 isincorrect or compromised.

In particular embodiments, trust level 4950 may correspond with thenumber of resource tokens 115 c present in a particular combination ofresource tokens 115 c. As an example and not by way of limitation, afirst combination of resource tokens 115 c may include a resource token115 c that indicates that the Kerberos authentication associated withthe resource 145 has been performed, and a resource token 115 c thatindicates that the resource 145 is associated with a firewall. Thatfirst combination may be associated with a better trust level 4950 thana second combination of resource tokens 115 c that only includes aresource token 115 c that indicates that resource 145 is not infected bya virus. In this manner, TBAC module 110 may abstract into a trust level4950, various actions and features associated with resource 145 thatreduce the risk that resource 145 is incorrect and/or compromised.

The illustration of system 100 in FIG. 49 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 49 includes all the elements of system 100in FIG. 1.

FIG. 50 is a flowchart illustrating a method 5000 of determining trustlevels 4950. TBAC module 110 may perform method 5000. As provided byFIG. 50, TBAC module 110 may begin by receiving a first resource token115 c 1 indicating access to a resource 145 has been requested in step5010. TBAC module 110 may then access trust rules 4930 in step 5020. Inparticular embodiments, TBAC module 110 may use resource tokens 115 cand first resource token 115 c 1, and subject tokens 115 k, among othersas appropriate, to access trust rules 4930. TBAC module 110 may usethese tokens 115 to determine at least one trust rule 4930 applicable toresource 145. In particular embodiments, the at least one trust rule4930 may specify a required trust level 4940 necessary to grant accessto resource 145, and may associate trust levels 4950 to particularcombinations of resource tokens 115 c.

In step 5030, TBAC module 110 may determine a required trust level 4940necessary to grant access to the resource 145. In particularembodiments, the at least one trust rule 4930 may specify the requiredtrust level 4940. In step 5040, TBAC module 110 may determine a trustlevel 4950. In particular embodiments, the trust level 4950 maycorrespond with particular combinations of resource tokens 115 cspecified by the at least one trust rule 4930. TBAC module 110 maydetermine that a particular combination of resource tokens 115 cspecified by the at least one trust rule 4930 is present, and determinethe associated trust level 4950 specified by the at least one rule 4930.TBAC module 110 may compare the trust level 4950 with the required trustlevel 4940 in step 5050. In step 5060, TBAC module 110 may determinewhether the trust level 4950 is sufficient to grant access to resource145. As an example and not by way of limitation, TBAC module 110 maygrant access to resource 145 in step 5070 if trust level 4950 is greaterthan or equal to the required trust level 4940. If TBAC module 110determines that trust level 4950 is insufficient to grant access toresource 145, TBAC module 110 may deny access to resource 145 in step5065. TBAC module 110 may then receive an updated resource token 115 c 3in step 5080. Updated resource token 115 c 3 may indicate an action or afeature associated with resource 145 that reduces the risk that resource145 is incorrect or compromised. After receiving updated resource token115 c 3, TBAC module 110 may return to step 5040 to determine the trustlevel 4950 based on the updated resource token 115 c 3.

FIGS. 51-52 illustrate the system 100 of FIG. 1 determining integritylevels. Integrity levels may correspond to the integrity of the datatrafficked over network 120. TBAC module 110 may use the integrity levelto make an access decision in order to avoid granting access to aresource over an insecure network 120. The process of determining andmaking access decisions based on integrity levels is discussed furtherwith respect to FIGS. 51-52.

FIG. 51 illustrates the system 100 of FIG. 1 determining integritylevels 5150. As provided by FIG. 51, TBAC module 110 may correlatesubject token 115 k, network token 115 f, among others as appropriatewith session token 115 j. TBAC module 110 may receive resource token 115c associated with resource 145. In particular embodiments, resourcetoken 115 c may indicate that user 112 and/or device 114 have requestedaccess to resource 145. To determine whether to grant access to resource145 over network 120, TBAC module 110 may determine an integrity level5150 and compare integrity level 5150 with a required integrity level5140.

To determine integrity level 5150, TBAC module 110 may utilize integrityrules 5130 stored in memory 134. In particular embodiments, TBAC module110 may use resource token 115 c, network token 115 f, among others asappropriate to access integrity rules 5130. Based on these tokens 115,TBAC module 110 may determine at least one integrity rule 5130applicable to resource 145 and network 120. The at least one integrityrule 5130 may specify a required integrity level 5140 associated withnetwork 120. In particular embodiments, integrity level 5150 may becompared with required integrity level 5140 to determine if access overnetwork 120 may be granted. The at least one integrity rule 5130 mayfurther specify how to determine integrity level 5150. In particularembodiments, the at least one integrity rule 5130 may associatedifferent integrity levels 5150 with different combinations of networktokens 115 f. TBAC module 110 may examine the network tokens 115 fassociated with network 120 and then determine if any of thecombinations of network tokens 115 f specified by integrity rules 5130are present. Based on the combinations of network tokens 115 f that arepresent, TBAC module 110 may apply the at least one integrity rule 5130and determine an integrity level 5150 associated with user network 120.

In particular embodiments, TBAC module 110 may determine whether togrant or deny access to resource 145 associated with resource token 115c by comparing integrity level 5150 with required integrity level 5140.As an example and not by way of limitation, TBAC module 110 may denyaccess to resource 145 if integrity level 5150 is less than requiredintegrity level 5140. Although this disclosure describes TBAC module 110denying access to resource 145 if integrity level 5150 is less thanrequired integrity level 5140, one of ordinary skill in the art wouldunderstand that TBAC module 110 may be modified to deny access toresource 145 if integrity level 5150 is greater than or equal torequired integrity level 5140. Furthermore, the values of integritylevel 5150 and required integrity level 5140 may be alphanumeric,symbolic, or any appropriate values recognized and comparable by TBACmodule 110.

In particular embodiments, TBAC module 110 may generate a message 5160in response to denying access to resource 145. Message 5160 may indicatethe denial of access, and may further indicate the reason for thedenial, such as for example, that a connection associated with network120 is not secure. TBAC module 110 may transmit the message to anelement of system 100, such as for example device 114, to notify theelement of the issues associated with network 120. In this manner, theappropriate element of system 100 may remedy the issues associated withnetwork 120.

In particular embodiments, TBAC module 110 may redetermine integritylevel 5150 when a change to network tokens 115 f occurs. TBAC module 110may receive an updated network token 115 f 2 in response to transmittingmessage 5160. Updated network token 115 f 2 may come from a tokenprovider such as network token provider 122. Updated network token 115 f2 may indicate an action or feature of network 120 that increases theintegrity of the data trafficked over network 120, such as for examplethat a connection associated with network 120 is a dedicated connection.As another example and not by way of limitation, updated network token115 f may indicate that network 120 performs a form of encryption, suchas Wi-Fi Protected Access. Based on updated network token 115 f 2, TBACmodule 110 may update integrity level 5150. TBAC module 110 may updateintegrity level 5150 accordingly, and then compare integrity level 5150to required integrity level 5140. TBAC module 110 may determine thatafter the update, integrity level 5150 is sufficient to grant access toresource 145. TBAC module 110 may then grant access to resource 145.

In particular embodiments, the integrity level 5150 may correspond tothe integrity of the data trafficked over network 120. Various networktokens 115 f may increase this integrity. As an example and not by wayof limitation, a network token 115 f may indicate that the network 120performs a form of encryption, such as Wi-Fi Protected Accessencryption, thus increasing the integrity of the data trafficked overthe network 120. Likewise, a network token 115 f that indicates thatnetwork 120 supports dedicated connections may also increase theintegrity of the data trafficked over the network 120. Similarly,network tokens 115 f indicating that network 120 includes a terminalnode controller may also increase the integrity of the data traffickedover the network 120. Similarly, network tokens 115 k indicating thatthe network performs transport layer security or host identity protocolmay increase the integrity of the data trafficked over the network 120.As another example and not by way of limitation, network tokens 115 fthat indicate that network 120 has a firewall or is not affected by avirus may increase the integrity of the data trafficked over network120. Although this disclosure describes network tokens 115 f indicatingparticular actions or features associated with network 120 that increasethe integrity of data trafficked over network 120, this disclosurecontemplates network tokens 115 f or any combination of network tokens115 f indicating any appropriate feature or action associated withnetwork 120 that increase the integrity of data trafficked over network120.

In particular embodiments, integrity level 5150 may correspond with thenumber of network tokens 115 f present in a particular combination ofnetwork tokens 115 f. As an example and not by way of limitation, afirst combination of network tokens 115 f may include a network token115 f that indicates that network 120 supports dedicated connections anda network token 115 f that indicates that network 120 provides transportlayer security. That first combination may be associated with a betterintegrity level 5150 than a second combination of network tokens 115 fthat only includes a network token 115 f that indicates that network 120has a firewall. In this manner, TBAC module 110 may abstract into anintegrity level 5150 various actions and features of network 120 thatincrease the integrity of the data trafficked over network 120.

The illustration of system 100 in FIG. 51 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 51 includes all the elements of system 100in FIG. 1.

FIG. 52 is a flowchart illustrating a method 5200 of determiningintegrity levels 5150. TBAC module 110 may perform method 5200. Asprovided by FIG. 52, TBAC module 110 may begin by receiving a resourcetoken 115 c indicating access to a resource 145 has been requested instep 5210. TBAC module 110 may then access integrity rules 5130 in step5220. In particular embodiments, TBAC module 110 may use resource token115 c and network tokens 115 f, among others as appropriate, to accessintegrity rules 5130. TBAC module 110 may use these tokens 115 todetermine at least one integrity rule 5130 applicable to resource 145.In particular embodiments, the at least one integrity rule 5130 mayspecify a required integrity level 5140 necessary to grant access toresource 145 over network 120, and may associate integrity levels 5150to particular combinations of network tokens 115 f.

In step 5230, TBAC module 110 may determine a required integrity level5140 necessary to grant access to the resource 145. In particularembodiments, the at least one integrity rule 5130 may specify therequired integrity level 5140. In step 5240 TBAC module 110 maydetermine an integrity level 5150. In particular embodiments, theintegrity level 5150 may correspond with particular combinations ofnetwork tokens 115 f specified by the at least one integrity rule 5130.TBAC module 110 may compare the integrity level 5150 with the requiredintegrity level 5140 in step 5250. In step 5260, TBAC module 110 maydetermine whether the integrity level 5150 is sufficient to grant accessto resource 145. As an example and not by way of limitation, TBAC module110 may grant access to resource 145 in step 5270 if integrity level5150 is greater than or equal to the required integrity level 5140.

If TBAC module 110 determines that integrity level 5150 is insufficientto grant access to resource 145, TBAC module 110 may deny access toresource 145 in step 5265. In response to denying access, TBAC module110 may generate a message 5160 indicating the denial of access in step5267. In particular embodiments, message 5160 may further indicate thereason for the denial. TBAC module 110 may then transmit the message instep 5268. In particular embodiments, TBAC module 110 may transmit themessage to an appropriate element of system 100 that can resolve theissue with network 120 supporting the denial of access. Aftertransmitting the message 5160, TBAC module 110 may then receive anupdated network token 115 f 2 in step 5280. Updated network token 115 f2 may indicate an action or a feature associated with network 120 thatincreases the integrity of data trafficked over network 120. Afterreceiving updated network token 115 f 2, TBAC module 110 may return tostep 5240 to determine the integrity level 5150 based on the updatednetwork token 115 f 2.

FIGS. 53-54 illustrate the system 100 of FIG. 1 performing expertdecisioning. In general, access decisions may be made based upon accessvalues that were determined from other access values. For example,system 100 may determine a risk level by combining an assurance level4750, trust level 4950, and integrity level 5150 as described withrespect to FIGS. 47-52. Access decisions may then be made based on therisk level. The process of making access decisions based on accessvalues determined from other access values is known as expertdecisioning and is discussed further with respect to FIGS. 53-54.

TBAC module 110 may determine particular access values based on tokens115. For example, TBAC module 110 may determine assurance levels 4750,trust levels 4950, and/or integrity levels 5150 using subject tokens 115k, resource tokens 115 c, network tokens 115 f, among others asappropriate as described above with respect to FIGS. 47-52. TBAC module110 may further determine and make access decisions based upon accessvalues that are determined from these previously determined accessvalues. For example, TBAC module 110 may use assurance levels 4750,trust levels 4950, and/or integrity levels 5150 to determine a risklevel. TBAC module 110 may then use the risk level to make an accessdecision.

FIG. 53 illustrates the system 100 of FIG. 1 performing expertdecisioning. As provided by FIG. 43, TBAC module 110 may correlatesubject token 115 k, network token 115 f, among others as appropriate,with session token 115 j. In particular embodiments, TBAC module 110 mayreceive resource token 115 c indicating that access to resource 145 hasbeen requested. TBAC module 110 may determine that access has beenrequested in response to receiving resource token 115 c.

In particular embodiments, TBAC module 110 may use subject token 115 k,resource 115 c, and network 115 f to determine access values such asassurance level 4750, trust level 4950, and integrity level 5150. TBACmodule 110 may use subject token 115 k, among others as appropriate, todetermine assurance level 4750 as described above with respect to FIGS.47 and 48. TBAC module 110 may use resource token 115 c, among others asappropriate, to determine trust level 4950 as described above withrespect to FIGS. 49 and 50. TBAC module 110 may use network token 115 f,among others as appropriate, to determine integrity level 5150 asdescribed above with respect to FIGS. 51 and 52.

In particular embodiments, TBAC module 110 may store expert decisionrules 5330 in memory 134. TBAC module 110 may use tokens 115, assurancelevel 4750, trust level 4950, integrity level 5150, and any otherappropriate access values to access expert decision rules 5330. Inparticular embodiments, in response to receiving resource token 115 cand determining that access to resource 145 has been requested, TBACmodule 110 may use tokens 115, such as resource token 115 c, and theappropriate access values to determine at least one expert decision rule5330 applicable to resource 145. The at least one expert decision rule5330 may specify a required risk level 5340 necessary to grant access toresource 145. The at least one expert decision rule 5330 may furtherassociate risk levels 5350 with particular combinations of accessvalues. As an example and not by way of limitation, the at least oneexpert decision rule 5330 may associate a particular risk level 5350with a particular combination of values for assurance level 4750, trustlevel 4950, and integrity level 5150. TBAC module 110 may examine accessvalues such as assurance level 4750, trust level 4950, and integrity5150 to determine if any of the combinations of access values specifiedby the least one expert decision rule 5330 are present. Based on thecombinations of access values that are present, TBAC module 110 mayapply the at least one expert decision rule 5330 and determine a risklevel 5350.

In particular embodiments, TBAC module 110 may determine whether togrant or deny access to resource 145 associated with resource token 115c by comparing risk level 5350 with required risk level 5340. As anexample and not by way of limitation, TBAC module 110 may deny access toresource 145 if risk level 5350 is less than required risk level 5340.Although this disclosure describes TBAC module 110 denying access toresource 145 if risk level 5350 is less than required risk level 5340,one of ordinary skill in the art would understand that TBAC module 110may be modified to deny access to resource 145 if risk level 5350 isgreater than or equal to required risk level 5340. Furthermore, thevalues of risk level 5350 and required risk level 5340 may bealphanumeric, symbolic, or any appropriate values recognized andcomparable by TBAC module 110.

In particular embodiments, TBAC module 110 may redetermine risk level5350 when a change to access values occurs. As an example and not by wayof limitation, TBAC module 110 may receive updated subject token 115 k 5and update assurance level 4750 as described above with respect to FIGS.47 and 48. As another example and not by way of limitation, TBAC module110 may receive updated resource token 115 c 3 and update trust level4950 as described above with respect to FIGS. 49 and 50. As yet anotherexample and not by way of limitation, TBAC module 110 may receiveupdated network token 115 f 2 and update integrity level 5150 asdescribed above with respect to FIGS. 51 and 52. Based on an update toan access value such as the assurance level 4750, trust level 4950,and/or integrity level 5150, TBAC module 110 may update risk level 5350.After updating risk level 5350, TBAC module 110 may determine whether togrant or deny access to resource 145 by comparing the updated risk level5350 to required risk level 5340. TBAC module 110 may determine based atleast in part upon the at least one expert decision rule 5330 that risklevel 5350 is sufficient to grant access to resource 145 after theupdate. TBAC module 110 may then grant access to resource 145.

In particular embodiments, the value of risk level 5350 may correspondto the value of access values such as assurance level 4750, trust level4950, and/or integrity level 5150. As an example and not by way oflimitation, an increase in assurance level 4750 may decrease risk level5350. As another example and not by way of limitation, an increase inassurance level 4750 and integrity level 5150 and a decrease in trustlevel 4950 may correspond to an overall increase in risk level 5350. Inparticular embodiments, value of risk level 5350 may correspond to themagnitude of the values of access values such as assurance level 4750,trust level 4950, and/or integrity level 5150. In the previous example,the magnitudes of the increases to assurance level 4750 and integritylevel 5150 may have been small compared to the magnitude of the decreasein trust level 4950. As a result, the risk level 5350 may experience anoverall increase. Although this disclosure describes risk level 5350increasing and decreasing as a result of particular changes to assurancelevel 4750, trust level 4950, and/or integrity level 5150, thisdisclosure contemplates any appropriate update such as increase,decrease, or staying the same to risk level 5350 as a result of anyappropriate update to any appropriate access value.

In particular embodiments, risk level 5350 may indicate a riskassociated with granting user 112 and/or device 114 access to resource145 over network 120. Therefore, any risks associated with user 112,device 114, resource 145, and/or network 120 may influence risk level5350. When these risks are present, TBAC module 110 may determineappropriate assurance levels 4750, trust levels 4950, and/or integritylevels 5150 pursuant to those risks. TBAC module 110 may then determinerisk level 5350 based on these assurance levels 4750, trust levels 4950,and/or integrity levels 5150. TBAC module 110 may then determine whetherto grant access to resource 145 by comparing risk level 5350 withrequired risk level 5340.

In particular embodiments, risk token 115 m may be generated based onrisk level 5350. Risk token 115 m may represent the risk associated withgranting user 112 and/or device 114 access to resource 145 over network120. Risk token 115 m may be generated by a token provider such ascomputed risk token provider 124. In particular embodiments, TBAC module110 may also generate risk token 115 m.

The illustration of system 100 in FIG. 53 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 53 includes all the elements of system 100in FIG. 1. Although this disclosure describes TBAC module 110determining risk levels 5350 using assurance levels 4750, trust levels4950, and/or integrity levels 5150, this disclosure contemplates TBACmodule 110 determining any appropriate access value using anyappropriate number of access values.

FIG. 54 is a flowchart illustrating a method 5400 of performing expertdecisioning. TBAC module 110 may perform method 5400. As provided byFIG. 54, TBAC module 110 may begin by storing subject token 115 k,resource token 115 c, network token 115 f, among others as appropriatein step 5410. In step 5420 TBAC module 110 may determine that access toresource 145 has been requested. In particular embodiments, TBAC module110 may determine that access to resource 145 has been requested inresponse to receiving resource token 115 c associated with resource 145.TBAC module 110 may continue to step 5430 to determine assurance level4750, trust level 4950, and integrity level 5150. TBAC module 110 maydetermine these access values as described above with regards to FIGS.47 through 52.

TBAC module 110 may then use these access values to access expertdecision rules 5330 in step 5440. In particular embodiments, TBAC module110 may determine at least one expert decision rule 5330 applicable toresource 145. In particular embodiments, the at least one expertdecision rule 5330 may specify a required risk level 5340 necessary togrant access to resource 145, and may associate risk levels 5350 withparticular combinations of access values such as assurance level 4750,trust level 4950, and/or integrity level 5150. In step 5450, TBAC module110 may determine a required risk level 5340 necessary to grant accessto the resource 145 based on the at least one expert decision rule 5330.In particular embodiments, the at least one expert decision rule 5330may specify the required risk level 5340. In step 5460 TBAC module 110may determine a risk level 5350. In particular embodiments, TBAC module110 may determine risk level 5350 by first determining whether aparticular combination of access values such as assurance level 4750,trust level 4950, and/or integrity level 5150 specified by the at leastone expert decision rule 5330 is present. TBAC module 110 may then usethe risk level 5350 associated with that particular combination ofaccess values as specified by the at least one expert decision rule5330.

In step 5470, TBAC module 110 may determine whether the risk level 5350is sufficient to grant access to the resource 145. In particularembodiments, TBAC module 110 may compare risk level 5350 to requiredrisk level 5340 to determine whether risk level 5350 is sufficient togrant access to resource 145. If risk level 5350 is sufficient, TBACmodule 110 may grant access in step 5480. If risk level 5350 isinsufficient to grant access to the resource 145, then TBAC module 110may deny access in step 5472.

TBAC module 110 may continue by redetermining various access valuesbased on changes to user 112, device 114, resource 145, and/or network120. In step 5474 TBAC module 110 may receive an updated subject token115 k 5 associated with user 112 and/or device 114. In step 5476 TBACmodule 110 may receive an updated resource token 115 c 3 associated withresource 145. In step 5478 TBAC module 110 may receive an updatednetwork token 115 f 2 associated with network 120. After receiving anyof these updated tokens 115, TBAC module 110 may continue to step 5430to determine an assurance level 4750, trust level 4950, and/or integritylevel 5150.

FIGS. 55 and 56 illustrate the system 100 of FIG. 1 making accessdecisions using exceptions. In general, exceptions may exist for anytoken-based rule. The process of handling these exceptions and usingthem to make access decisions will be discussed with respect to FIGS. 55and 56.

TBAC module 110 may use tokens 115 to determine token-based rules andexceptions. A token-based rule may specify that the TBAC module 110should make a particular access decision, but a corresponding exceptionmay specify the opposite decision. TBAC module 110 may override thetoken-based rule and make an access decision according to the exception.

FIG. 55 illustrates the system 100 of FIG. 1 making access decisionsusing exceptions. As provided by FIG. 55, TBAC module 110 may correlatesubject token 115 k, network token 115 f, among others as appropriate,to session token 115 j. In particular embodiments, TBAC module 110 mayreceive resource token 115 c associated with resource 145. Resourcetoken 115 c may indicate that user 112 and/or device 114 have requestedaccess to resource 145. TBAC module 110 may determine that user 112and/or device 114 have requested access to resource 145 in response toreceiving resource token 115 c.

In particular embodiments, TBAC module 110 may use exceptions 5530stored in memory 134 to determine whether to grant or deny access toresource 145. Exceptions 5530 may specify access decisions that do notconform to those specified by token-based rules also stored in memory134 such as DDD1 rules 1930, RRR3 rules 2130, expert decision rules5330, or any other appropriate rules discussed with respect to otherfigures. In this manner, TBAC module 110 may make access decisions usingexceptions to general rules.

In particular embodiments, TBAC module 110 may use resource token 115 c,subject token 115 k, network 115 f, among others as appropriate, toaccess exceptions 5530. Using these tokens 115, TBAC module 110 maydetermine at least one exception 5530 applicable to resource 145. The atleast one exception 5530 may specify that access to resource 145 may begranted if a token 115 or a set of tokens 115 are present. As an exampleand not by way of limitation, the at least one exception 5530 mayspecify that access to resource 145 may be granted if a particularsubject token 115 k and a particular network token 115 f are present.Although this disclosure describes an exception 5530 conditioning accesson the presence of particular types of tokens, this disclosurecontemplates the at least one exception 5530 conditioning access on anynumber or any appropriate types of tokens 115.

After determining the at least one exception 5530, TBAC module 110 mayexamine the tokens 115 that are present to determine if the tokens 115specified by the at least one exception 5530 are present. If the tokens115 are present, TBAC module 110 may grant access to resource 145.However, if the tokens 115 are not present then TBAC module 110 may denyaccess to resource 145. Although this disclosure describes TBAC module110 granting access if particular tokens 115 are present based on the atleast one exception 5530, this disclosure contemplates TBAC module 110making any appropriate response based on the presence of tokens 115 andthe at least one exception 5530. For example, TBAC module 110 may denyaccess to resource 145 if particular tokens 115 are present based on theat least one exception 5530.

As an example and not by way of limitation, TBAC module 110 maydetermine that user 112 and/or device 114 have requested access toresource 145 over network 120. TBAC module 110 may determine atoken-based rule applicable to this resource request. The token-basedrule may specify that access should not be granted over network 120because network 120 is an unsecured network. However, TBAC module 110may also determine an exception 5530 applicable to this resourcerequest. The exception 5530 may specify that an administrator may begranted access over this network 120. Based on the exception 5530, TBACmodule 110 may examine subject tokens 115 k and determine that user 112is an administrator. TBAC module 110 may then grant user 112 and/ordevice 114 access to resource 145 over network 120 despite the generalrule that access should not be granted over network 120.

In particular embodiments, TBAC module 110 may deny access to resource145 if a particular token specified by the at least one exception 5530is not present. As an example and not by way of limitation, the at leastone exception 5530 may specify that access to resource 145 may begranted if a particular subject token 115 k is present. However, TBACmodule 110 may determine that that particular subject token 115 k is notpresent and deny access to resource 145. In particular embodiments, TBACmodule 110 may later receive the particular token 115 specified by theat least one exception 5530. As an example and not by way of limitation,TBAC module 110 may later receive a second subject token 115 k 2, secondresource token 115 c 2, second network token 115 f 3, and/or risk token115 m. TBAC module 110 may then grant access to resource 145 in responseto receiving the particular token 115.

As an example and not by way of limitation, TBAC module 110 may receivesecond subject token 115 k 2 from a token provider such as private tokenprovider 128 or public token provider 126. Second subject token 115 k 2may indicate that a form of authentication, such as biometricauthentication and/or password authentication, has been performed.Second subject token 115 k 2 may specify that device 114 comprises aparticular security feature such as, for example, a subscriber identitymodule and/or a trusted platform module security device. After receivingsecond subject token 115 k 2, TBAC module 110 may determine that theparticular tokens 115 specified by exception 5530 are present. TBACmodule 110 may then grant access to resource 145. In this manner, TBACmodule 110 may make access decisions using exceptions 5530 thatcondition access based on particular types of subject tokens 115 k.

As another example and not by way of limitation, TBAC module 110 mayreceive second resource token 115 c 2. Second resource token 115 c 2 mayindicate that a form of authentication associated with resource 145,such as Kerberos authentication, has been performed. Second resourcetoken 115 c 2 may indicate that resource 145 is associated withparticular security features. For example, second resource token 115 c 2may indicate that resource 145 is associated with a virtual privatenetwork or with a trusted platform module security device. As anotherexample, second resource token 115 c 2 may indicate that resource 145 isassociated with a firewall or with a digital certificate. Afterreceiving second resource token 115 c 2, TBAC module 110 may determinethat the particular tokens 115 specified by exception 5530 are present.TBAC module 110 may then grant access to resource 145. In this manner,TBAC module 110 may make access decisions using exceptions 5530 thatcondition access to resource 145 based on particular types of resourcetokens 115 c.

As another example and not by way of limitation, TBAC module 110 mayreceive second network token 115 f 3 from a token provider such asnetwork token provider 122. Second network token 115 f 3 may indicatethat network 120 performs a form of encryption such as Wi-Fi ProtectedAccess. Second network token 115 f 3 may indicate particular securityfeatures associated with network 120. For example, second network token115 f 3 may indicate that network 120 is operable to support dedicatedconnections or to perform the host identity protocol. As anotherexample, second network token 115 f 3 may indicate that network 120 isassociated with a firewall. After receiving second network token 115 f3, TBAC module 110 may determine that the particular tokens 115specified by exception 5530 are present. TBAC module 110 may then grantaccess to resource 145. In this manner, TBAC module 110 may make accessdecisions using exceptions 5530 that condition access to resource 145based on particular types of network tokens 115 f.

As another example and not by way of limitation, TBAC module 110 mayreceive risk token 115 m from a token provider such as the computed risktoken provider 124. Risk token 115 m may indicate the risk associatedwith granting access to resource 145. In particular embodiments, thisrisk may be increased or reduced based on the performance of particularforms of authentication and/or encryption. This risk may be furtherinfluenced by particular security features associated with resource 145,device 114, and/or network 120. After receiving risk token 115 m, TBACmodule 110 may determine that the particular tokens 115 specified byexception 5530 are present. TBAC module 110 may then grant access toresource 145. In this manner, TBAC module 110 may make access decisionsusing exceptions 5530 that condition access to resource 145 based onrisk token 115 m.

The illustration of system 100 in FIG. 55 does not specificallyillustrate all of the elements from the illustration of system 100 inFIG. 1 so that particular aspects of system 100 may be emphasized.However, system 100 of FIG. 55 includes all the elements of system 100in FIG. 1.

FIG. 56 is a flowchart illustrating a method 5600 of making accessdecisions using exceptions 5530. TBAC module 110 may perform method5600. TBAC module 110 may begin by storing subject tokens 115 k, networktokens 115 f, among others as appropriate in step 5610. In step 5620,TBAC module 110 may determine that access to a resource 145 has beenrequested. In particular embodiments, TBAC module 110 may receive aresource token 115 c indicating that access to resource 145 has beenrequested. TBAC module 110 may determine that access has been requestedin response to receiving resource token 115 c. In step 5630 TBAC module110 may use resource token 115 c, subject token 115 k, network token 115f, among others as appropriate, to access exceptions 5530 stored inmemory 134. In particular embodiments, TBAC module 110 may use thesetokens 115 to determine at least one exception 5530 applicable toresource 145. In step 5640, TBAC module 110 may determine a set oftokens 115 necessary to grant access to resource 145 based on the atleast one exception 5530.

In step 5650, TBAC module 110 may determine if the tokens 115 in the setof tokens 115 are present. If the tokens 115 are present, TBAC module110 may grant access in step 5660. However, if the tokens 115 are notpresent, TBAC module 110 may deny access in step 5670. After denyingaccess, TBAC module 110 may receive at least one token 115 in step 5680.As an example and not by way of limitation, TBAC module 110 may receivesecond subject token 115 k 2, second resource token 115 c 2, secondnetwork token 115 f 3, and/or risk token 115 m. After receiving this atleast one token 115, TBAC module 110 may return to step 5650 todetermine if the tokens 115 in the set of tokens 115 are present. Inparticular embodiments, TBAC module 110 may determine that the tokens115 in the set of tokens 115 are now present and grant access toresource 145 in step 5660.

FIGS. 57 and 58 illustrate the system 100 of FIG. 1 performingend-to-end encryption. In general, various forms of encryption may beperformed prior to granting access to a resource 145. The process ofdetermining whether particular forms of encryption should be performedor have been performed is known as end-to-end encryption and will bediscussed with respect to FIGS. 57 and 58.

TBAC module 110 may determine the forms of encryption that have beenperformed and the forms of encryption that should be performed. AfterTBAC module 110 determines that the forms of encryptions that should beperformed have been performed, TBAC module 110 may grant access to arequested resource 145.

FIG. 57 illustrates the system 100 of FIG. 1 performing end-to-endencryption. As provided by FIG. 57, TBAC module 110 may correlatesubject token 115 k, among others as appropriate, to session token 115j. Subject token 115 k may be associated with user 112 and/or device114. In particular embodiments, TBAC module 110 may receive resourcetoken 115 c indicating that user 112 and/or device 114 have requestedaccess to resource 145. TBAC module 110 may determine that access toresource 145 has been requested in response to receiving resource token115 c.

In particular embodiments, TBAC module 110 may receive network token 115f associated with network 120. Network token 115 f may indicate thatnetwork 120 has performed or may perform a first form of encryption suchas the host identity protocol. Although this disclosure describes TBACmodule 110 receiving a particular token 115 that indicates a particularform of encryption has been or may be performed, this disclosurecontemplates TBAC module 110 receiving any appropriate token 115indicating any appropriate form of encryption has been or may beperformed. Although this disclosure describes network 120 performing aparticular form of encryption, this disclosure contemplates anyappropriate element of system 100 whether alone or in combination withother appropriate elements of system 100 performing any appropriate formof encryption.

In particular embodiments, TBAC module 110 may use network token 115 f,resource token 115 c, subject token 115 k, among others as appropriate,to access encryption rules 5730 stored in memory 134. TBAC module 110may use one or more of these tokens 115 to determine at least oneencryption rule 5730 applicable to resource 145. The at least oneencryption rule 5730 may specify forms of encryption that are necessaryto grant access to resource 145. As an example and not by way oflimitation, the at least one encryption rule 5730 may specify thatperforming the host identity protocol and Wi-Fi Protected Access arenecessary to grant access to resource 145.

TBAC module 110 may determine that a token 115 indicates that a form ofencryption specified by the at least one encryption rule 5730 has beenperformed. For example, TBAC module 110 may determine that network token115 f indicates that the host identity protocol has been or may beperformed by network 120.

TBAC module 110 may then determine, based on the at least one encryptionrule 5730, that a second form of encryption should be performed beforeaccess to resource 145 may be granted. For example, based on the atleast one encryption rule 5730, TBAC module 110 may then determine thatWi-Fi Protected Access should also be performed before access toresource 145 may be granted. However, if TBAC module 110 determines thatthe tokens 115 that are present do not indicate that Wi-Fi ProtectedAccess has been performed, then TBAC module 110 may deny access toresource 145 in response. Although this disclosure describes the atleast one encryption rule 5730 specifying a particular number ofparticular forms of encryption, this disclosure contemplates the atleast one encryption rule 5730 specifying any appropriate number andcombination of any appropriate forms of encryption. For example, theforms of encryption may be associated with different layers of the opensystems interconnection model; one form of encryption specified by theat least one encryption rule 5730 may be associated with a lower layerof the model than another form of encryption specified by the at leastone encryption rule 5730.

In particular embodiments, TBAC module 110 may receive a second token115 such as second network token 115 f 3 or second resource token 115 c2. The second token 115 may indicate that a second form of encryptionhas been or may be performed. As an example and not by way oflimitation, second network token 115 f 3 may indicate that network 120performs Wi-Fi Protected Access. As another example and not by way oflimitation, second resource token 115 c 3 may indicate that informationwithin the resource 145 has been encrypted. In response to receivingsecond network token 115 f 3, TBAC module 110 may determine that Wi-FiProtected Access has been performed by network 120. After receiving thesecond token 115, TBAC module 110 may determine that the forms ofencryption necessary to grant access to resource 145 have been performedbased on the at least one encryption rule 5730. In response to thatdetermination, TBAC module 110 may generate a decision token 115 nrepresenting the decision that access to resource 145 may be granted.TBAC module 110 may then transmit decision token 115 n to theappropriate element of system 100, such as resource provider 140, sothat access to resource 145 may be granted to user 112 and/or device 114over network 120.

In particular embodiments, the at least one encryption rule 5730 mayspecify additional forms of encryption necessary to grant access toresource 145. As an example and not by way of limitation, the at leastone encryption rule 5730 may specify that internet protocol securityshould be performed before granting access to resource 145. Based on theat least one encryption rule 5730, TBAC module 110 may determine thatinternet protocol security should be performed before granting access toresource 145. In response, TBAC module 110 may generate message 5710. Inparticular embodiments, message 5710 may indicate that internet protocolsecurity should be performed before TBAC module 110 may grant access toresource 145. TBAC module 110 may then transmit message 5710 to theappropriate element of system 100. As an example and not by way oflimitation, TBAC module 110 may transmit message 5710 to network 120 todetermine if network 120 performs internet protocol security.

In particular embodiments, encryption rules 5730 may be used to decrypttokens 115. For example, TBAC module 110 may receive an encrypted token115 w. TBAC module 110 may use the encrypted token 115 w to accessencryption rules 5730. In particular embodiments, TBAC module 110 maydetermine at least one encryption rule 5730 applicable to encryptedtoken 115 w. The at least one encryption rule 5730 may specify forms ofencryption that have been performed on encrypted token 115 w. Forexample, TBAC module 110 may use the at least one encryption rule 5730to determine that a first form of encryption and a second form ofencryption have been performed on encrypted token 115 w. TBAC module 110may then determine the necessary steps to decrypt encrypted token 115 w.For example, TBAC module 110 may determine, based on the at least oneencryption rule 5730, that a first form of decryption and a second formof decryption should be performed on encrypted token 115 w. TBAC module110 may examine encrypted token 115 w and determine that the first formof decryption has been performed on encrypted token 115 w. In responseto that determination, TBAC module 110 may determine that the secondform of decryption should now be performed on encrypted token 115 w.After the second form of decryption has been performed, TBAC module 110may determine that encrypted token 115 w is no longer encrypted. TBACmodule 110 may then determine the information represented by theresulting token 115.

Although this disclosure describes TBAC module 110 receiving particulartypes of tokens 115 that indicate particular forms of encryption, thisdisclosure contemplates TBAC module 110 receiving any appropriate typeof token 115 indicating any appropriate form of encryption. Theillustration of system 100 in FIG. 57 does not specifically illustrateall the elements from the illustration of system 100 in FIG. 57 so thatparticular aspects of system 100 may be emphasized. However, system 100of FIG. 57 includes all the elements of system 100 in FIG. 1.

FIG. 58 is a flowchart illustrating a method 5800 of performingend-to-end encryption. TBAC module 110 may perform method 5800. TBACmodule 110 may begin by storing subject tokens 115 k, session token 115j, among others as appropriate, in step 5810. In step 5820 TBAC module110 may determine that access to a resource 145 has been requested. Inparticular embodiments, TBAC module 110 may receive a resource token 115c associated with resource 145. TBAC module 110 may determine thataccess to resource 145 has been requested in response to receivingresource token 115 c. TBAC module 110 may continue to step 5830 toreceive a network token 115 f indicating that a first form of encryptionhas been performed. Network token 115 f may be received from a tokenprovider such as network provider 122.

In step 5840 TBAC module 110 may use network token 115 f, resource token115 c, subject token 115 k, among others as appropriate, to accessencryption rules 5730. Based on these tokens 115, TBAC module 110 maydetermine at least one encryption rule 5730 applicable to resource 145.In particular embodiments, the at least one encryption rule 5730 mayspecify the forms of encryption necessary to grant access to resource145. Based on the at least one encryption rule 5730, TBAC module 110 maydetermine a second form of encryption necessary to grant access toresource 145 in step 5850. In step 5860 TBAC module 110 may determinewhether the second form of encryption has been performed. In particularembodiments, TBAC module 110 may examine various tokens 115 such asnetwork token 115 f to determine whether the second form of encryptionhas been performed. If the second form of encryption has been performed,TBAC module 110 may generate a decision token 115 n indicating thataccess to resource 145 should be granted in step 5870. Then in step 5880TBAC module 110 may transmit the decision token 115 n to an appropriateelement of system 100 such as resource provider 140 so that access toresource 145 may be granted.

If TBAC module 110 determines that the second form of encryption has notbeen performed, TBAC module 110 may deny access in step 5890. Afterdenying access, TBAC module 110 may receive a second token 115 such assecond network token 115 f 3 or second resource token 115 c 2 in step5895. The second token 115 may indicate that the second form ofencryption has been performed. TBAC module 110 may then return to step5860 to determine if the second form of encryption has been performedbased on the second token 115.

Although this disclosure describes system 100 using singular tokens 115a-x to perform the described functions, this disclosure contemplatessystem 100 using any suitable number and combination of tokens 115 a-xto perform the described functions.

Although the present invention has been described with severalembodiments, a myriad of changes, variations, alterations,transformations, and modifications may be suggested to one skilled inthe art, and it is intended that the present invention encompass suchchanges, variations, alterations, transformations, and modifications asfall within the scope of the appended claims.

What is claimed is:
 1. An apparatus comprising: a memory operable to: store a plurality of token-based rules, wherein a token-based rule facilitates access to a resource; and store a plurality of resource tokens associated with the resource; and a processor communicatively coupled to the memory and operable to: receive a first resource token indicating that access to the resource has been requested; determine, based at least in part upon the first resource token, at least one token-based rule from the plurality of token-based rules, wherein: the at least one token-based rule associates a first access value with at least one resource token, wherein the at least one resource token indicates at least one of: that the resource is associated with a trusted platform module security device; and that the resource is associated with a virtual private network; the first access value indicates the risk associated with granting access to the resource; and the at least one token-based rule specifies at least one condition under which access to the resource should be granted, the first access value associated with the at least one condition; determine that the at least one resource token associated with the first access value is included in the plurality of resource tokens; determine, based at least in part upon the at least one token-based rule, a second access value associated with the at least one resource token in response to the determination that the plurality of resource tokens comprises the at least one resource token, wherein the second access value indicates a chance that at least one of that access is granted to an unrequested resource and that the resource corrupts the device; determine, based at least upon the at least one token-based rule, that the second access value is insufficient to grant access to the resource by comparing the second access value with the first access value; determine, in response to the determination that the value of the second, access value is insufficient to grant access to the resource, that access to the resource should be denied; communicate a first decision token indicating that access by at least one of the user and the device to the resource should be denied; receive an updated resource token; redetermine the second access value based at least in part upon the updated resource token; determine, based at least in part upon the at least one token-based rule, that the redetermined second access value is sufficient to grant access to the resource by comparing the redetermined second access value with the first access value; and communicate a second decision token indicating that access by at least one of the user and the device to the resource should be granted.
 2. The apparatus of claim 1, wherein the processor is further operable to: receive an updated resource token indicating that a form of authentication associated with the resource has been performed; redetermine the value of the second access value based at least in part upon the updated resource token; and determine, based at least in part upon the at least one token-based rule, that the redetermined value of the second access value is sufficient to grant access to the resource.
 3. The apparatus of claim 1, wherein the processor is further operable to: receive an updated resource token indicating that security associated with the resource has not been compromised; redetermine the value of the second access value based at least in part upon the updated resource token; and determine, based at least in part upon the at least one token-based rule, that the redetermined value of the second access value is sufficient to grant access to the resource.
 4. The apparatus of claim 1, wherein the at least one resource token indicates at least one of: that the resource has performed Kerberos authentication; and that the resource is associated with a digital certificate.
 5. The apparatus of claim 1, wherein the at least one resource token indicates at least one of: that the resource is associated with a firewall; and that the resource is not infected by a virus.
 6. The apparatus of claim 1, wherein: the at least one token-based rule associates the second access value with a combination of resource tokens; and the value of the second access value corresponds to the number of resource tokens included in the combination of resource tokens.
 7. A method comprising: storing, by a memory, a plurality of token-based rules, wherein a token-based rule facilitates access to a resource; storing, by the memory, a plurality of resource tokens associated with the resource; receiving, by a processor communicatively coupled to the memory, a first resource token indicating that access to the resource has been requested; determining, by the processor, based at least in part upon the first resource token, at least one token-based rule from the plurality of token-based rules, wherein: the at least one token-based rule associates a first access value with at least one resource token, wherein the at least one resource token indicates at least one of: that the resource is associated with a trusted platform module security device; and that the resource is associated with a virtual private network; the first access value indicates the risk associated with granting access to the resource; and the at least one token-based rule specifies at least one condition under which access to the resource should be granted, the first access value associated with the at least one condition; determining, by the processor, that the at least one resource token associated with the first access value is included in the plurality of resource tokens; determining, by the processor, based at least in part upon the at least one token-based rule, a second access value associated with the at least one resource token in response to the determination that the plurality of resource tokens comprises the at least one resource token, wherein the second access value indicates a chance that at least one of that access is granted to an unrequested resource and that the resource corrupts the device; determining, by the processor, based at least upon the at least one token-based rule, that the second access value is insufficient to grant access to the resource by comparing the second access value with the first access value; determining, by the processor, in response to the determination that the value of the second access value is insufficient to grant access to the resource, that access to the resource should be denied; communicating a first decision token indicating that access by at least one of the user and the device to the resource should be denied; receiving an updated resource token; redetermining, by the processor, the second access value based at least in part upon the updated resource token; determining, by the processor, based at least in part upon the at least one token-based rule, that the redetermined second access value is sufficient to grant access to the resource by comparing the redetermined second access value with the first access value; and communicating a second decision token indicating that access by at least one of the user and the device to the resource should be granted.
 8. The method of claim 7, further comprising: receiving, by the processor, an updated resource token indicating that a form of authentication associated with the resource has been performed; redetermining, by the processor, the value of the second access value based at least in part upon the updated resource token; and determining, by the processor, based at least in part upon the at least one token-based rule, that the redetermined value of the second access value is sufficient to grant access to the resource.
 9. The method of claim 7, further comprising: receiving, by the processor, an updated resource token indicating that security associated with the resource has not been compromised; redetermining, by the processor, the value of the second access value based at least in part upon the updated resource token; and determining, by the processor, based at least in part upon the at least one token-based rule, that the redetermined value of the second access value is sufficient to grant access to the resource.
 10. The method of claim 7, wherein the at least one resource token indicates at least one of: that the resource has performed Kerberos authentication; and that the resource is associated with a digital certificate.
 11. The method of claim 7, wherein the at least one resource token indicates at least one of: that the resource is associated with a firewall; and that the resource is not infected by a virus.
 12. The method of claim 7, wherein: the at least one token-based rule associates the second access value with a combination of resource tokens; and the value of the second access value corresponds to the number of resource tokens included in the combination of resource tokens.
 13. One or more computer-readable non-transitory storage media embodying software that is operable when executed to: store a plurality of token-based rules, wherein a token-based rule facilitates access to a resource; store a plurality of resource tokens associated with the resource; receive a first resource token indicating that access to the resource has been requested; determine, based at least in part upon the first resource token, at least one token-based rule from the plurality of token-based rules, wherein: the at least one token-based rule associates a first access value with at least one resource token, wherein the at least one resource token indicates at least one of: that the resource is associated with a trusted platform module security device; and that the resource is associated with a virtual private network; the first access value indicates the risk associated with granting access to the resource; and the at least one token-based rule specifies at least one condition under which access to the resource should be granted, the first access value associated with the at least one condition; determine that the at least one resource token associated with the first access value is included in the plurality of resource tokens; determine, based at least in part upon the at least one token-based rule, a second access value associated with the at least one resource token in response to the determination that the plurality of resource tokens comprises the at least one resource token, wherein the second access value indicates a chance that at least one of that access is granted to an unrequested resource and that the resource corrupts the device; determine, based at least upon the at least one token-based rule, that the second access value is insufficient to grant access to the resource by comparing the second access value with the first access value; determine, in response to the determination that the value of the second access value is insufficient to grant access to the resource, that access to the resource should be denied; communicate a first decision token indicating that access by at least one of the user and the device to the resource should be denied; receive an updated resource token; redetermine the second access value based at least in part upon the updated resource token; determine, based at least in part upon the at least one token-based rule, that the redetermined second access value is sufficient to grant access to the resource by comparing the redetermined second access value with the first access value; and communicate a second decision token indicating that access by at least one of the user and the device to the resource should be granted.
 14. The media of claim 13 embodying software further operable when executed to: receive an updated resource token indicating that a form of authentication associated with the resource has been performed; redetermine the value of the second access value based at least in part upon the updated resource token; and determine, based at least in part upon the at least one token-based rule, that the redetermined value of the second access value is sufficient to grant access to the resource.
 15. The media of claim 13 embodying software further operable when executed to: receive an updated resource token indicating that security associated with the resource has not been compromised; redetermine the value of the second access value based at least in part upon the updated resource token; and determine, based at least in part upon the at least one token-based rule, that the redetermined value of the second access value is sufficient to grant access to the resource.
 16. The media of claim 13, wherein the at least one resource token indicates at least one of: that the resource has performed Kerberos authentication; and that the resource is associated with a digital certificate.
 17. The media of claim 13, wherein the at least one resource token indicates at least one of: that the resource is associated with a firewall; and that the resource is not infected by a virus.
 18. The media of claim 13, wherein: the at least one token-based rule associates the second access value with a combination of resource tokens; and the value of the second access value corresponds to the number of resource tokens included in the combination of resource tokens. 